CS 4476/5413 Lecture Notes INTRODUCTION TO NETWORK...

CS 4476/5413 Lecture Notes

INTRODUCTION TO

NETWORK SECURITY

Ruizhong Wei

Department of Computer ScienceLakehead University

Winter, 2003

ii

Contents

1 Introduction 11.1 Security attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 Security services . . . . . . . . . . . . . . . . . . . . . . . . . . 51.3 A model for network security . . . . . . . . . . . . . . . . . . 51.4 An overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Conventional Cryptography 92.1 A General Model . . . . . . . . . . . . . . . . . . . . . . . . . 92.2 The Shift Cipher . . . . . . . . . . . . . . . . . . . . . . . . . 122.3 The Substitution Cipher . . . . . . . . . . . . . . . . . . . . . 142.4 The Permutation Cipher . . . . . . . . . . . . . . . . . . . . . 192.5 The Vigenere Cipher . . . . . . . . . . . . . . . . . . . . . . . 202.6 The Hill Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . 262.7 Stream Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . 292.8 Product Cryptosystems . . . . . . . . . . . . . . . . . . . . . . 332.9 Modular Arithmetics . . . . . . . . . . . . . . . . . . . . . . . 34

3 Modern Block Ciphers 373.1 The Data Encryption Standard . . . . . . . . . . . . . . . . . 373.2 Attacks on DES . . . . . . . . . . . . . . . . . . . . . . . . . . 433.3 DES Modes and Triple-DES . . . . . . . . . . . . . . . . . . . 443.4 The Advanced Encryption Standard . . . . . . . . . . . . . . . 473.5 Some Other Block Ciphers . . . . . . . . . . . . . . . . . . . . 51

3.5.1 CMVP . . . . . . . . . . . . . . . . . . . . . . . . . . . 543.6 Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

4 Public Key Encryption 594.1 Some Math Facts in Number Theory . . . . . . . . . . . . . . 60

iii

iv CONTENTS

4.2 RSA Public-key System . . . . . . . . . . . . . . . . . . . . . 634.3 ElGamal Cryptosystem . . . . . . . . . . . . . . . . . . . . . . 674.4 Other Public-key Cryptosystems . . . . . . . . . . . . . . . . . 704.5 Public-key Systems and Secret-key Systems . . . . . . . . . . 70

5 Information Authentication 735.1 Signature Schemes . . . . . . . . . . . . . . . . . . . . . . . . 735.2 Message Authentication and Hash Functions . . . . . . . . . . 805.3 Key Distribution . . . . . . . . . . . . . . . . . . . . . . . . . 895.4 Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . 935.5 Quantum Techniques in Cryptography . . . . . . . . . . . . . 97

5.5.1 Quantum key distribution BB84 . . . . . . . . . . . . . 985.5.2 Shor’s factoring algorithm . . . . . . . . . . . . . . . . 100

6 Remote Access Control 1016.1 UNIX Password Systems . . . . . . . . . . . . . . . . . . . . . 1016.2 One Time Password . . . . . . . . . . . . . . . . . . . . . . . . 1036.3 Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

7 E-Mail Security 1117.1 Pretty Good Privacy . . . . . . . . . . . . . . . . . . . . . . . 1117.2 S/MIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

8 Web Security 1198.1 SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1198.2 Secure Electronic Transaction (SET) . . . . . . . . . . . . . . 124

9 IP Secure 1299.1 TCP/IP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 1309.2 IPSec documents . . . . . . . . . . . . . . . . . . . . . . . . . 1339.3 Authentication Header . . . . . . . . . . . . . . . . . . . . . . 1349.4 Encapsulating Security Payload (ESP) . . . . . . . . . . . . . 1389.5 Key Management . . . . . . . . . . . . . . . . . . . . . . . . . 142

10 Firewall 14910.1 Some Characteristics of firewall . . . . . . . . . . . . . . . . . 14910.2 Common Types of Firewall . . . . . . . . . . . . . . . . . . . . 15110.3 Implementation of Firewall . . . . . . . . . . . . . . . . . . . 155

CONTENTS v

Bibliography 159

Index 160

vi CONTENTS

Chapter 1

Introduction

Since the inception of computer network, there have been a lot of securityproblems discovered, solved and developed. This is not only because of somepeople who have wished to demonstrate their intellectual prowess by attack-ing computer systems and network, but also because of people who have hadsome financial or political gains to perform attacks. On the other hand, thereare so many different people using computer networks. There are alwaysfault management, fault software, abuse of resources connecting to computernetworks. These are the main reasons which cause security problems for anetwork. Today, security problem becomes one of the main problems forcomputer network and internet developing. There is no simple way to es-tablish a secure computer network. In fact, we cannot find a network in theworld, which does not have any security holes nowadays. It is understandablethat any big complicated system, not just computer networks, has securityproblems. However, since the inventors of computer networks didn’t considerthe security of a network when they just wanted to use a network to commu-nicate using computers from an university office to another office, and thenthe speed of the development of networks is beyond anyone’s imagination,the security problem for computer networks is more serious.

There are many aspects of performing network security. In this book,we focus on cryptographic based network security. It should be noticed thatcryptography is not the only thing required for network security. Other thingssuch as organizations, managements, user policies, related law makings, etc.are also key things for the network security.

Recently, many people indicate that if cryptography is not used appropri-ately, then it will damage the security of the network instead of enhance the

1

2 CHAPTER 1. INTRODUCTION

security. So it is important to understand how to use cryptography correctlyand what is the limitation of cryptography.

Now almost every computer is connected to some kind of network andalmost every one using a computer knows there are security threats from anetwork. However, most people including many IT technicians do not reallyunderstand cryptography and network security protocols. There are manymisunderstood of cryptographic based network securities. For examples, wecan always hear wrong statements such as:

• Public key encryption is more secure than secrete key encryption.

• X.509 certificates are used to certificate computers.

• A secure hash function can be used to encrypt data.

• A firewall can prevent computer virus attack.

In this book, we will not distinguish the internet and a computer network,because the cryptographic based security consideration is similar for them.Internet is an open network so that no one knows the exact shape of theinternet. A simple model of internet is demonstrated in Figure 1.1. In thismodel, local networks are connected to the internet through routers. Thisfigure shows that sniffers might exist any where in the network. When apacket of a message goes through the network, any sniffer should be ableto see it. For example, if you send out an email in plain text, then thesniffers on the way can read your email without any difficulty. There aremany softwares which can catch all the packets on the line. For example,an open source software called Ethereal which is used to analysis networkcan be used to sniffer packets. On the other hand, a hacker can send faultmessages so that it may be able to cheat other hosts in the network. So howcan we trust the information from internet is a big question. A worse case isthat if a router is hacked, then the hacker can change any packet come fromand gone to the local network.

The main idea for using cryptography to network security is to encryptmessages in communications over the network. In this way, only the personpossessing correct decryption key can understand the messages. However,we will see later that to realize this simple idea is very difficult in practice.

This book is designed as an introduction of cryptographic based networksecurity which can serve as a textbook for a one term undergraduate com-puter science course.

1.1. SECURITY ATTACKS 3

Sniffer

SnifferSniffer

RouterRouter

Internet

Figure 1.1: Simple model of internet

To consider the security of a network, we need to understand what are thecommon security attacks and what kind of security services a good networkshould provide to prevent against various attacks. In the rest of this chapter,we will consider these two aspects of network security.

1.1 Security attacks

Attacks on the security of network usually can be classified to four or morecategories according to the functions of computer network as providing infor-mation. In the following we give a brief description of attacks by no meansof an exhaustive list, but giving readers some idea of security attacks in net-works. An asset of a computer system means a part of the system which canbe some hardware (CPU, memory, disk space, peripherals), software (appli-cations, operating systems, utilities), data (files, database, application inputor output), etc.

• Interruption: An asset of the system is destroyed or becomes un-available or unusable. Some examples are: destruction of a piece ofhardware (hard disk, communication line etc.), computer worms (someindependent program that does not modify other programs, but repro-duces itself over and over again until it slow down or shuts down acomputer system or a network), clogging (replaying some applicationsor using a lot of space and time of CPU to do useless computing)orflooding (a very large amount of bogus traffic is sent to a node, suchas a server of router).


• Interception: An unauthorized party gains access to an asset. Exam-ples include wiretapping to capture data in a network (sniffing), illicitcopying of files or programs, Trojan horse virus (some programs hidingin a useful software, which collect information from the host and sendthe information back to the hacker).

• Modification: An unauthorized party not only gains access to buttampers with an asset. Examples include changing values in a datafile, altering a program so that it performs differently, and modifyingthe content of messages being transmitted in a network, some computervirus, computer bomb (time trigger or logic trigger), salami (small al-teration of numbers in a file, a small piece of an eventual large salami).

• Fabrication: An unauthorized party inserts counterfeit objects intothe system. Examples include the insertion of spurious messages ina network or the addition of records to a file (setting a faked bankweb page to collect private information, sending emails using fakedaddresses).

There are different kinds of attackers to perform their desired or undesiredattacks to a network. Usually we may divide them into two categories asfollows.

• Passive attackers: By eavesdropping on or monitoring of transmis-sions, a passive attacker will not modify the messages. The purpose ofpassive attackers are release of message contents or traffic analysis. Anattacker may gain sensitive or confidential messages by sniffing. If allthe messages are encrypted, then the attacker may difficult to under-stand the message. However, the attacker can do some traffic analysisto see the change of transformation amount, pattern, destinations, etc.It is hard to detect a passive attacker. The main consideration is howto prevent such attacks.

• Active attackers: An active attacker will modify of data stream orcreate a false stream. Examples include masquerade (one entity pre-tends to be a different entity), replay (capture a data and retransmis-sion it), modification of message (change some portion of data), denialof service (prevents or inhibits the normal use or management of com-munication facilities). For active attackers, we want to detect themfirst. It is difficult to prevent such attackers completely.

1.2. SECURITY SERVICES 5

1.2 Security services

A security service enhances the security of the data processing system andinformation transfers of an organization. The services are intend to countersecurity attacks and they use security mechanism to provide the service.Usually, we consider the following security services.

• Confidentiality: Ensures that the information is accessible only forreading by authorized parties. Confidentiality is the protection of trans-mitted data from passive attacks. Basic method for this service is en-cryption.

• Authentication: Ensures that the origin of a message is correctlyidentified, with an assurance that the identity is not false.

• Integrity: Ensures the precision, accuracy, and consistency of infor-mation. Transmitted information and computer systems only can bemodified in acceptable ways by authorized entities. This service in-cludes protection of information and detection of violation.

• Nonrepudiation: Requires that neither the sender nor the receiver ofa message be able to deny the transmission.

• Access control: Requires that access to information resources be con-trolled by or for the target system.

• Availability: Requires that the system data and services be availableto authorized parties when needed.

1.3 A model for network security

We will discuss a general model of network security shown in the Figure 1.2.

In this model, two principals are connected by an information channel.They will transfer information through the information channel. The infor-mation channel is open so other one can also access the channel. An opponentis connected to the information channel. Security aspects come into play toprotect the information transmission from the opponent. Since the opponentis connected to the information channel, he can receives all the messages go


Trusted third party

Information channel

Principal Principal

Opponent

Figure 1.2: Model for network security

through the information channel and he also can send faked information tothe principals.

Sometimes a trusted third party (e.g., arbiter, distributer of secret in-formation) is needed. In this case, the opponent is supposed unable to getinformation communicated between the trusted third party and principals.So we suppose that there is a secret channel between the trusted third partyand a principal. For example, a trust third party can be a bank and theprincipal be a client. Then the bank can give the client a credit card byregular mail or by hand. So suppose that there is a secure channel betweenthe bank and the client. We will see later that it is difficult to find a securechannel in many cases related networks.

All the discussion of network security in this book will based on thismodel.

Network security is a subset of information security. The rapid develop-ment of internet makes the network security more and more important forthe information security.

1.4. AN OVERVIEW 7

1.4 An overview

The basic idea of cryptographic based network security is that all the datagoing through the network is encrypted. In this way, although people cancatch the data, but they will not know the meaning of the data, and where thedata comes from and where to go. So the first problem for the cryptographyis to find good encryption systems.

DES AESEvery encryption system needs some secret key for encrypting and de-

crypting. Since the number of users of the internet is huge, how to deliverthese keys is a difficult problem. To solve this problem, researches inventedpublic key encryption systems. In a public key encryption system, the en-crypting key is public but the decrypting key is kept secret.

RSA Diffie-HellmanIf someone, say Bob, publishes a public key, then other people can use

this key to encrypt messages when they want to send the messages to Bob.But there is a problem: how can you believe that the public key is reallypublished by Bob? So the public key needs to be certificated.

X. 509Another problem of network security is message authentication. We want

to make sure that the message is sent really by the sender and the message isnot mended by third party. For that purpose, hash functions and signatureschemes are used.

MD5 SHA


Chapter 2

Conventional Cryptography

Conventional encryption, also refereed to as private-key (or single-key) en-cryption was used in cryptographic system for a long time. Some people alsouse the terminology of symmetric encryption, because in that system bothencryption and decryption use the same key. In this chapter, we discusssome classical encryption systems. Although most systems mentioned in thischapter are no longer in use now, we can learn some basic ideas and problemsfor symmetric encryption by investigating these systems.

In this chapter, we first introduce a general model of a conventional cryp-tosystem. Then several cryptosystems are investigated. Some basic methodsare introduced to attack these systems. These attacks (also called crypt-analysis) give us some ideas about the requirements of a good encryptionfunction.

2.1 A General Model

A general model for the conventional cryptosystem is shown in Figure 2.1.In this model, there are a message sender called Alice and a message receivercalled Bob. The message goes through a public channel. A third person,Oscar will try to get the message through the public channel. Since bothAlice and Bob want to keep the message secret, they use some method toencrypt the message so that Oscar only can obtain the encrypted data. Theencryption and decryption are dependent on some secret key which onlyAlice and Bob know. Therefore there should be a secret channel for Aliceand Bob to transfer the secret key in this model. Note that in practice, a

9

10 CHAPTER 2. CONVENTIONAL CRYPTOGRAPHY

secret channel may not exist in many cases. So in these cases, we cannotuse a conventional cryptosystem directly. We will discuss that situation inChaper 4.

Secret channel

Public channel

K

xyx

spaceKey

Oscar

BobalgorithmDecryption

AliceEncryptionalgorithm

Figure 2.1: A model of conventional cryptosystem

Now we give a formal definition of a cryptosystem.

Definition 2.1.1 A cryptosystem is a five-tuple (P , C,K, E ,D), where thefollowing conditions are satisfied:

1. P is a finite set of possible plaintexts.

2. C is a finite set of possible ciphertexts.

3. K, the key space, is a finite set of possible keys.

4. For each key K ∈ K, there is an encryption rule eK ∈ E and a corre-sponding decryption rule dK ∈ D. Each eK : P 7→ C and dK : C 7→ Pare functions such that dK(eK(x)) = x for every plaintext x ∈ P.

In practice, a plaintext message is usually expressed as a string

x = x1x2 · · · xn

2.1. A GENERAL MODEL 11

where xi ∈ P , 1 ≤ i ≤ n and a ciphertext is also a string

y = y1y2 · · · yn,

where yi = eK(xi) ∈ C, 1 ≤ i ≤ n.

The procedure of communication may be roughly described as follows.When Alice and Bob want to communicate each other, they first select asuitable cryptosystem. Alice and Bob then select a random key K ∈ Ksecretly. When Alice wants to send a plaintext xi to Bob, she computes andsends yi = eK(xi) to Bob. Bob then decrypts it by computing xi = dK(yi)after he receives xi. Oscar can see yi and he will try to find the key K orplaintext xi. The process of attempting to discover the plaintext or the secretkey is know as cryptanalysis.

In general, we cannot theoretically prove a cryptosystem to be secure.However, people can evaluate the system by attacking. So developing crypt-analysis technique is a very important part of cryptographic research.

To consider cryptanalysis, we need to set some conditions and divide thesituations into several different levels. In this book, we will always assumethat Oscar knows the encryption algorithm (which is called Kerckhoff’s prin-ciple), but he does not know the key.

There are several types of attacks on encrypted messages, depending onthe power of the attacker. We give a brief description of these types in thefollowing. All types are under Kerckhoff’s principle. So all the attackersknow the encryption and decryption algorithms.

• Ciphertext-only: Oscar possesses a string of ciphertext y. He wants tofind the plaintext or the key.

• Known plaintext: Oscar possesses a string of plaintext and the corre-sponding ciphertext. He wants to find the key.

• Chosen plaintext: Oscar can choose a plaintext string and obtain thecorresponding ciphertext string. That means Oscar can temporary usethe encryption machine. He wants to find the key.

• Chosen ciphertext: Oscar can choose a string of ciphertext and obtainthe corresponding plaintext string. In this case, Oscar can temporaryuse the decryption machine. He wants to find the key.


Clearly, first three levels of attacks are enumerated in increasing order ofstrength. The chosen ciphertext attacks are more useful in public key systemwhich we will discuss later. In general, we will not think a cryptosystem issecure enough, if it only can tolerate ciphertext-only attacks.

Note that in the above model, there is a secure channel between Aliceand Bob. In many cases, that condition is not available in computer sys-tems. This limitation of conventional cryptosystem results the developmentof public-key cryptography which we will discuss later.

Next we will start to introduce some encryption methods. These methodsare not secure now. However, we can learn some idea about how to encryptand decrypt, and learn some requirements for a secure encryption system.

From the definition of a cryptosystem, we know that the encryption func-tion should be one-to-one, because the encryption should be reversible (de-cryption). We need to understand why a encryption system needs a secretkey. Since we want a encryption system secure, the encryption function anddecryption function are usually very complicated. So it is difficult to sendthe algorithms through a secret channel. Moreover, we will see that if aencryption method is fixed for a long time, then it is not secure. So if theencryption system uses a secret key, then the algorithm can be used for along time while the secret key should be changed frequently. A key is muchsimpler than the algorithm and relatively easy to be send through the secretchannel. It is obvious that the key should have the property that the resultsof the encryption is total different if the key is slightly changed.

2.2 The Shift Cipher

Shift Cipher (also known as Caesar Cipher) is a very simple encryptionmethod. Before introduce that method, we need some knowledge of modulararithmetic which is refereed to Section 2.9.

Now we present the Shift Cipher in Figure 2.2.To use the Shift Cipher, we make use of the following correspondence.

a b c d e f g h i j k l m0 1 2 3 4 5 6 7 8 9 10 11 12n o p q r s t u v w x y z13 14 15 16 17 18 19 20 21 22 23 24 25

2.2. THE SHIFT CIPHER 13

Let P = C = K = Z26. For 0 ≤ K ≤ 25, define

eK(x) = x+K mod 26

anddK(y) = y −K mod 26

where x, y ∈ Z26.

Figure 2.2: The Shift Cipher

Example 2.2.1 Suppose Alice and Bob use the key K = 10 in the ShiftCipher. When Alice wants to send the plaintext

iwanttomeetyou,

Alice first converts the text to a sequence of integers:

8 22 0 13 19 19 14 12 4 4 19 24 14 20

Then she add 10 to each value, reducing each sum modulo 26:

18 6 10 23 3 3 24 22 14 14 3 8 24 4.

Therefore the ciphertext is:

SGKXDDYWOODIYE.

To decrypt the ciphertext, Bob first converts the ciphertext to a sequence ofintegers, then subtracts 10 from each value, and finally converts the sequenceof integers to alphabetic characters.

Note that we used upper case letters for ciphertext and lower case lettersfor plaintext to improve readability. We will keep this format in rest of thebook.


If a cryptosystem is “secure”, then Oscar will be very difficult to find theplaintext. However, the Shift Cipher is easy to break. In fact, the key spaceof this system is very small (only 26 keys). Thus Oscar can try each of thesekeys, until he finds the meaningful plaintext. So the shift cipher is very weak.It is easy to be broken even under ciphertext-only attack.

The attack using exhaustive key search is also referred as brute-forceattack.

Remark 2.2.1 For a secure cryptosystem, the key space must be large enoughso that the brute-force attack does not work.

The value 26 in the Shift Cipher is not significant. For example, we canuse Z27 for 26 alphabetic characters and space. Actually, we can use a verylarge key space for a shift cipher. For example, we can use a key space of size26×26 = 676 as follows. Divide plaintext into “blocks” of size 2. Let differentcombination of two characters correspond to an number in Z676. So let aacorresponds to 0, ab corresponds to 1, ac corresponds to 2 · · ·. However, wewill see later that no matter how large the key space is, the shift cipher isnot secure.

2.3 The Substitution Cipher

The Substitution Cipher can be seen as a generalization of the Shift Cipher.For simplicity, we still define the Substitution Cipher in Z26 and use the samecorrespondence between letters and integers as we did for the Shift Cipher.

In substitution cipher, we will use permutation of Z26. A permutation ofa finite set X is a bijective function π : X → X. Therefore each permuta-tion has a inverse function called inverse permutation π−1. They satisfy thefollowing rule:

π(x) = x′ if and only if π−1(x′) = x.

Clearly, π−1 is also a permutation of X.

Usually, we can write a permutation as two rows of elements of X. Forexample, a permutation on Z9 can be written as

π =

(0 1 2 3 4 5 6 7 82 5 1 4 3 6 0 8 7

)

2.3. THE SUBSTITUTION CIPHER 15

So π(0) = 2, π(1) = 5, etc. It is easy to see that

π−1 =

(0 1 2 3 4 5 6 7 86 2 0 4 3 1 5 8 7

)The Substitution Cipher is defined as in Figure 2.3.

Let P = C = Z26, K consists of all possible permutations of the 26symbols 0, 1, · · · , 25. For each permutation π ∈ K, define

eπ(x) = π(x)

anddπ(y) = π−1(y).

where π−1 is the inverse permutation to π.

Figure 2.3: The Substitution Cipher

In practice, it is not necessary to use Z26 as plaintext and ciphertext. Wecan directly use the permutation on 26 alphabetic characters.

Example 2.3.1 Alice and Bob choose a random permutation as follows.

a b c d e f g h i j k l mC G H W Z Q T N M L S X Vn o p q r s t u v w x y zR Y E O F D J I K U P B A

The Alice’s plaintext is the following.

our friend from paris examined his empty glass with surpriseas if evaporation had taken place while he wasnt looking i pouredsome more wine and he settled back in his chair face titles uptowards the sun


Using the permutation, she obtains the following ciphertext.

YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ

NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ

NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ

XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR

The permutation π−1 can be easily obtained by reversing the first line andthe second line of π, and then sorting in alphabetical order:

a b c d e f g h i j k l mZ Y A S P R B C U T V J In o p q r s t u v w x y zH Q X F N K G W M D L O E

Since Bob knows π, he can decrypt the ciphertext and get the plaintext.

There are total 26! permutations on the 26 alphabetic characters. Sothe key space of the Substitute Cipher is greater than 4.0 × 1026. Thus, anexhaustive key search is infeasible.

To attack the Substitute Cipher, Oscar may use the statistical propertiesof the English language. From compiling statistics from numerous novels,magazines and newspapers, Beker and Piper obtained the probabilities ofthe frequency of the 26 letters as in Figure 2.4.

letter probability letter probability letter probabilityA .082 J .002 S .063B .015 K .008 T .091C .028 L .040 U .028D .043 M .024 V .010E .127 N .067 W .023F .022 O .075 X .001G .020 P .019 Y .020H .061 Q .001 Z .001I .070 R .060

Figure 2.4: Probability of 26 letters

On the basis of the above probabilities, we can partition the 26 lettersinto 5 groups.

2.3. THE SUBSTITUTION CIPHER 17

1. E, having probability about 0.120

2. T,A,O,I,N,S,H,R, each having probabilities between 0.09 to 0.06

3. D,L, each having probabilities around 0.04

4. C,U,M,W,F,G,Y,P,B, each having probabilities between 0.028 and 0.015

5. V,K,J,X,Q,Z, each having probabilities less than 0.01.

It is also useful to consider the frequency of two or three consecutiveletters (called digrams and trigrams, respectively). The 30 most commondigrams are (in decreasing order) TH, HE, IN, ER, AN, RE, ED, ON, ES,ST, EN, AT, TO, NT, HA, ND, OU, EA, NG, AS, OR, TI, IS, ET, IT,AR, TE, SE, HI and OF. The 12 most common trigrams are (in decreasingorder) THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FORand DTH.

To find the plaintext and the key in Example 2.3.1, we first find thefrequency of the occurrence of the 26 letters in cihpertext as follows.

letter frequency letter frequency letter frequencyA 0 J 11 S 3B 1 K 1 T 2C 15 L 0 U 5D 13 M 16 V 5E 7 N 9 W 8F 11 O 0 X 6G 1 P 1 Y 10H 4 Q 4 Z 20I 5 R 10

Since Z occurs significantly more often than other characters, we guessdK(Z) = e.

The remaining characters that occur at least ten times are C, D, F, J, M,R, Y. We will think that they are encryptions of t, a, o, i, n, s, h, r. But wecannot decide what the correspondence might be, since their frequencies areclose. So we look at digrams, especially the digrams * Z and Z * (rememberthat we already assumed dK(Z) = e). In the ciphertext, DZ and ZW appearfour times each, NZ and ZU appear three times each, RZ, HZ, XZ, FZ, ZR,ZV, ZC, ZD and ZJ appear two times each. Since ZW appears four times,


W might be encryption of r,d,s or n. On the other hand, W is not a frequentletter (only appears 8 times). So we decide that dK(W ) = d.

From DZ, we can guess that D is encrypted from h, r, t or s. Since ZDappears two times, D may be from r, t or s, but it is not clear to us whichis the correct one.

We now look at the digram * W. ZW appears four times and RW appearstwo times. So we guess that dK(R) = n.

Since NZ appears 3 times but ZN does not appear, we assume thatdK(N) = h.

By all the above assumptions, we can find a string ne*ndhe in the plain-text. The symbol * is from C. Since C appears 15 times in ciphertext, wethink C is from a by trying t,a,o and i. So we have the following:

YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVEJBTXCDDUMJ

******end*****a***e*a**nedh**e******a*****

NDIFEFMDZCDMQZKCEYFCJMYRNCWJCSZREXCHZUNMXZ

h*******ea***e*a***a***nhad*a*en**a*e*h**e

NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZJJ

he*a*n******n******ed***e***e**neandhe*e**

XZWGCHSMRNMDHNCMFQCHZJMXJZWIEJYUCFWDJNZDIR

*ed*a***nh***ha***a*e****ed*****a*d**he**n

We now consider M, the second most common ciphertext character. We willthink dK(M) ∈ {t, o, i, s}. From the segment of ciphertext MRNM and thecorresponding plaintext *nh*, we learnt that dK(M) does not like t or s. Thedigrams CM and NM in ciphertext suggest that dK(M) = i.

Next we will try to determine which letter is encrypted to o. We guessthat the corresponding ciphertext letter is one of D, F, J, Y. However, weknow that D is encrypted from r, s or t. If dK(F ) = o, then we have aoi(from CFM). If dK(J) = o, then we have aoi (from CJM). So we assumedK(Y ) = o. Then we consider D, F, J which are encrypted form t,s,r. Thesegment NMD suggests dK(D) = s (his). We guess dK(J) = t from JY (to)and JN (th). Therefore we assume that dK(F ) = r. The segment HNCMFcould be encrypted from chair, which give dK(H) = c.

It is easy to determine the plaintext and the key now.

2.4. THE PERMUTATION CIPHER 19

In both the Shift Cipher and the Substitution Cipher, once a key is chosen,each alphabetic character is mapped to a unique alphabetic character. Acryptosystem satisfies that condition is called monoalphabetic.

Remark 2.3.1 All the monoalphabetic cryptosystems can be attacked by guess-check method based on the probability of the occurrence of the alphabetic char-acters, digrams, trigrams, etc.

Probabilistic methods are important tools for cryptanalysis. A good ci-phertext should look like a random string.

2.4 The Permutation Cipher

Now we consider some cryptosystems which are not monoalphabetic. Firstwe consider the Permutation Cipher (or the Transposition Cipher), whichhas been used for hundreds of years.

The Permutation Cipher can be described as in Figure 2.5.

Let m be some fixed positive integers. Let P = C = (Z26)m and let K

consists of all permutations of {1, 2, · · · ,m}. For a key π ∈ K, define

eπ(x1, · · · , xm) = (xπ(1) · · · , xπ(m))

anddπ(y1, · · · , ym) = (yπ(1)−1 · · · , xπ(m)−1),

where π−1 is the inverse permutation to π.

Figure 2.5: The Permutation Cipher

Lets use an example to explain how to use the Permutation Cipher.

Example 2.4.1 Suppose Alice and Bob decide that m = 6 and use thepermutation

π =

(1 2 3 4 5 64 3 1 6 2 5

).


Alice wants to send the plaintext:

he walked up and down the passage two or three times.

Alice first divides the plaintext into groups of size 6 (we call these groupsblocks ):

hewalk edupan ddownt hepass agetwo orthre etimes

then performs the permutation on each of the groups and obtains the cipher-text:

WLEHKAUADENPONDDTWPSEHSAEWGAOTTRROEHIETESM.

When Bob received that ciphertext, he divides the text into blocks of size 6and for each block he makes the permutation

π−1 =

(1 2 3 4 5 63 5 2 1 6 4

).

Then he obtains the plaintext.

The Permutation Cipher is not monoalphabetic. In the above examplewe can see that the first e is encrypted as L, the second e is encrypted asU and the third e is encrypted as S. This encryption does not change thefrequency of alphabetic characters but the positions of the letters. Thus theanalysis of the probability of the occurrence of letters will not give Oscar anyhelp.

The Permutation Cipher is more difficult to break with a ciphertext-onlyattack. However, it succumbs easily to a known plaintext attack. In fact, ifOscar knows both plaintext and ciphertext, then it is not difficult for him todetermine the length m and then find the key π.

2.5 The Vigenere Cipher

The Vigenere Cipher is also an example of cryptosystem which is not monoal-phabetic. This cipher is named after Blaise de Vigenere, who lived in six-teenth century.

The Vigenere Cipher is defined in Figure 2.6.

2.5. THE VIGENERE CIPHER 21

Let m be some fixed positive integer. Define P = C = K = (Z26)m. For

a key K = (k1, k2, · · · , km), we define

eK(x1, · · · , xm) = (x1 + k1, · · · , xm + km)

anddK(y1, · · · , ym) = (y1 − k1, · · · , ym − km),

where all operations are performed in Z26.

Figure 2.6: The Vigenere Cipher

To use the Vegenere Cipher, Alice and Bob first decide the value of m,the length of secret key and then choose a string of length m as the key. Toencrypt a plaintext, Alice divides the text into blocks of size m, and encryptsthe text block by block using the secret key.

Example 2.5.1 Let m = 5 and the secret key is ONWAR. Suppose theplaintext is as follows:

the art of war teaches us to rely not on the likelihood of theenemys not coming but on our own readiness to receive him noton the chance of his not attacking but rather on the fact thatwe have made our position unassailable the combination of spacetime and strength that must be considered as the basic elementsof this theory of defense makes this a fairly complicated matterconsequently it is not easy to find a fixed point of departure

We first divide the plaintext into groups of size five and encrypt eachgroup using the key ONWAR. The following ciphertext is obtained:

HUAAIHBBWRFGAATVROUJHBNECMAKTFBGDECWXALZ

VBKDFTGDEVBRIYJBBPCFAVJGSIGKNFIEKWEFRWDZ

BROSKCEACVWIAHZAAKTFBGDETVNJCVCSDIJBBPAK

HNYKZBTXUKFNPHVFBJTYSSWCKHUWTNSUWVVANZEF


IELOJWGEOEIAWSJOVHASZRPHVQBIBZBNPIFBBBSG

OPATZARWNUGGNEEUGDTYOGIUJHOACFBFEDVFRZAJ

HUABRGVYECSZANKGBBTYWFPHVCEUOWRRBEEGRIAB

SFPHZGNBAZFYUCFACHITOGADDOGPEIQBJSVEHANK

ZLETZGAKTVOFUTFTVJDRTVTEUDBENKCSZEGOEPUI

S

To attack Vigenere Cipher, Oscar needs to determine the length of key m(the size of blocks) and the secret key. We introduce some methods developedby Wolfe Friedman in 1920. He defined the index of coincidence as follows.

Definition 2.5.2 Suppose x = x1x2 · · · xn is a string of n alphabetic charac-ters. Suppose we denote the frequencies of A,B, · · · , Z in x by f0, f1, · · · , f25respectively. Define index of coincidence of x as

Ic(x) =

∑25i=0

(fi2

)(n2

) =

∑25i=0 fi(fi − 1)

n(n− 1).

In fact, Ic(x) denote the probability that two random elements of x areidentical. The index of coincidence has the properties that if x is a ciphertextobtained by any monoalphabetic encryption, then

Ic(x) ≈ 0.065,

while if x is a random string, then

Ic(x) = 0.038.

Using the properties of Ic, we can find the length of the key in Vi-genere Cipher. Suppose that the key length is m and the ciphertext isy = y1, y2, · · · , yn. If we write the ciphertext in columns, each column isof length m, then each row of the ciphertext is encrypted by one key letter.Thus each row is a ciphertext of a nomoalphabetic encryption and the Icvalue of each row should be around 0.065.

For the Example 2.5.1, we compute the index of coincidence and obtainthe following data. When m = 2, the values of Ic are 0.046369, 0.043824.When m = 3, the values of Ic are 0.042297, 0.041457, 0.052381. When m = 4,the values of Ic are 0.044944, 0.039950, 0.047690, 0.046692. When m = 5,the values of Ic are 0.062207, 0.079030, 0.067684, 0.072770, 0.075117. When


m = 6, the values of Ic are 0.038418, 0.035593, 0.053107, 0.046328, 0.043503and 0.044068.

Therefore we decide that the length of the key is five.The second step is to determine the key. To do that we need to consider

the mutual index of coincidence of two strings.

Definition 2.5.3 Suppose x = x1x2 · · · xn and y = y1y2 · · · yn′ are strings ofn and n′ alphabetic characters, respectively. Let f0, f1, · · · , f25 and f ′

1, f′2, · · · , f ′

25

be the frequencies of A,B, · · · , Z in x and y, respectively. The mutual indexof coincidence of x and y is defined as

MIc(x,y) =

∑25i=0 fif

′i

nn′

The value of MIc(x,y) is the probability that a random element of x isidentical to a random element of y. Suppose x and y are strings from shiftcipher encryption. The value of MIc has the property that if the relatedshift of x and y is zero (used the same shift), then the value of MIc is about0.065. Otherwise, the value estimates vary between 0.031 and 0.045.

We have hypothesized that the key length m = 5 in Example 2.5.1.Let the key be (K0, K1, K2, K3, K4). Now we try to use mutual index ofcoincidence to find the key. To do that we first write the ciphertext incolumns of size 5:

HHFVHMBWVTBBAIIFBCWABVCBHBFFSHSA ...

UBGRBAGXBGRBVGERREIAGNSBNTNBSUUN ...

ABAONKDAKDIPJKKWOAAKDJDPYXPJWWWZ ...

AWAUETELDEYCGNWDSCHTECIAKUHTCTVE ...

IRTJCFCZFVJFSFEZKVZFTVJKZKVYKNVF ...

In this way, each row is an encryption of a shift cipher. Let yi denote theith row, 0 ≤ i ≤ 4. Then we compute the values of

MIc(yi,ygj ) =

∑25k=0 fkf

′k−g

nn′ ,

for 0 ≤ i < j ≤ 4 and 0 ≤ g ≤ 25. The results are in Figure 2.7. From theformula we know that yg

j is the string shifted g times from yj. Therefore ifwe find some g such that MIc(yi,y

gj ) ≈ 0.065, then Ki = Kj + g.


i j values of MIc(yi,ygj )

0 1 0.0563 0.0675 0.0384 0.0264 0.0336 0.0392 0.0436 0.0355 0.04010.0311 0.0417 0.0282 0.0341 0.0503 0.0469 0.0380 0.0365 0.03010.0258 0.0297 0.0403 0.0511 0.0338 0.0363 0.0231 0.0424

0 2 0.0374 0.0442 0.0345 0.0349 0.0436 0.0488 0.0461 0.0476 0.03260.0260 0.0276 0.0388 0.0424 0.0345 0.0347 0.0216 0.0336 0.0436

0.0633 0.0413 0.0293 0.0297 0.0380 0.0421 0.0392 0.0446

0 3 0.0444 0.0498 0.0382 0.0459 0.0372 0.0359 0.0351 0.0426 0.0446

0.0282 0.0305 0.0266 0.0434 0.0430 0.0604 0.0355 0.0228 0.02220.0380 0.0365 0.0382 0.0372 0.0316 0.0422 0.0438 0.0463

0 4 0.0357 0.0446 0.0486 0.0368 0.0314 0.0332 0.0455 0.0363 0.04010.0480 0.0378 0.0314 0.0405 0.0380 0.0268 0.0312 0.0307 0.0421

0.0324 0.0388 0.0260 0.0388 0.0538 0.0615 0.0401 0.0297

1 2 0.0324 0.0422 0.0428 0.0401 0.0380 0.0519 0.0486 0.0355 0.0336

0.0264 0.0386 0.0278 0.0451 0.0380 0.0274 0.0228 0.0326 0.07830.0417 0.0349 0.0326 0.0392 0.0357 0.0419 0.0471 0.0249

1 3 0.0401 0.0444 0.0507 0.0338 0.0405 0.0276 0.0370 0.0336 0.0382

0.0340 0.0318 0.0343 0.0324 0.0718 0.0451 0.0245 0.0249 0.04340.0312 0.0411 0.0388 0.0289 0.0228 0.0478 0.0529 0.0484

1 4 0.0407 0.0415 0.0446 0.0316 0.0264 0.0299 0.0392 0.0476 0.04730.0380 0.0318 0.0473 0.0421 0.0326 0.0305 0.0324 0.0289 0.0307

0.0530 0.0318 0.0228 0.0384 0.0822 0.0438 0.0280 0.0370

2 3 0.0457 0.0395 0.0347 0.0355 0.0330 0.0324 0.0463 0.0577 0.04860.0322 0.0309 0.0434 0.0312 0.0355 0.0262 0.0413 0.0388 0.0314

0.0349 0.0336 0.0353 0.0349 0.0723 0.0465 0.0274 0.0307

2 4 0.0318 0.0519 0.0367 0.0282 0.0411 0.0720 0.0430 0.0237 0.03200.0392 0.0434 0.0314 0.0280 0.0299 0.0303 0.0353 0.0525 0.05090.0324 0.0274 0.0494 0.0478 0.0322 0.0291 0.0403 0.0401

3 4 0.0295 0.0382 0.0372 0.0367 0.0303 0.0513 0.0235 0.0239 0.0444

0.0693 0.0372 0.0326 0.0307 0.0320 0.0401 0.0336 0.0291 0.02990.0324 0.0355 0.0552 0.0496 0.0287 0.0403 0.0573 0.0515

Figure 2.7: Observed Mutual Indices of Coincidence


From the data obtained we have the following equations:

K0 = K1 + 1K0 = K2 + 18K0 = K3 + 14K0 = K4 + 23K1 = K2 + 17K1 = K3 + 13

From these linear equations of five unknowns K0, K1, K2, K3, K4, we canassume that the key is

(K0, K0 + 25, K0 + 8, K0 + 12, K0 + 3)

Now we can try to decrypt the ciphertext by letting K0 = 0, 1, · · · , 25. WhenK0 = 14, we get the plaintext. So the key is ONWAR.

It is easy to know that the Vigenere Cipher is not a monoalphabeticencryption. In fact, in this system, an alphabetic character can be mappedto one of m possible alphabetic characters. Such a cryptosystem is calledpolyalphabetic cryptosystem. In general, polyalphabetic cryptosystem is moresecure than monoalphabetic cryptosystem.

Vergenere Cipher is based on 26 English letters. We can define a similarcipher in Z2 instead of Z26. In this case, the scheme is as in Figure 2.8.

Let m be some fixed positive integer. Define P = C = K = (Z2)m. For

a key K = (k1, k2, · · · , km), we define

eK(x1, · · · , xm) = (x1 + k1, · · · , xm + km)

anddK(y1, · · · , ym) = (y1 − k1, · · · , ym − km),

where all operations are performed in Z2.

Figure 2.8: Binary Vergenere Cipher


In this scheme, we can think about the plaintext, ciphertext and key asbinary strings of length m. In this way we can write the encryption anddecryption functions as follows:

eK(x) = x⊕K, dK(y) = y ⊕K.

The operation ⊕ is called exclusive-or, or XOR, which can be easily andefficiently implemented by a computer. We can use the same program toperform both encryption and decryption.

2.6 The Hill Cipher

The Hill Cipher was invented in 1929 by Lester S. Hill. Similar to VergenereCipher, in this cipher P = C = (Z26)

m. The key used in this system is somekind of m×m matrix whose elements are from Z26.

Definition 2.6.1 Suppose A is an m×m matrix over Z26,

A =

a1,1 a1,2 · · · a1,ma2,1 a2,2 · · · a2,m...

.... . .

...am,1 am,2 · · · am,m

.

If there exists an m×m matrix B over Z26,

B =

b1,1 b1,2 · · · b1,mb2,1 b2,2 · · · b2,m...

.... . .

...bm,1 bm,2 · · · bm,m

,

such that AB = Im, where Im is the m×m identity matrix

Im =

1 0 · · · 00 1 · · · 0...

.... . .

...0 0 · · · 1

,

then we say that A is an invertible matrix over Z26 and B is the inverse ofA denoted by B = A−1.

2.6. THE HILL CIPHER 27

We will not discuss how to determine if a matrix is invertible and how tofind the inverse of an invertible matrix here. These methods can be found inany linear algebra text book. The only thing need to be careful is that ourcomputations are all in Z26.

The Hill Cipher can be defined as in Figure 2.9

Let P = C = (Z26)m. Let K consists all m × m convertible matrices

over Z26. For a K ∈ K, define

eK(x) = xK

anddK(y) = yK−1,

where x, y ∈ (Z26)m and all the operations are performed in Z26.

Figure 2.9: The Hill Cipher

The correctness of the Hill Cipher is easy to verify. Because for anyx ∈ (Z26)

m, we have xIm = x. Therefore yK−1 = xKK−1 = xIm = x.Let us see a small example.

Example 2.6.2 Suppose Alice and Bob choose m = 2 and use a key

K =

(11 83 7

).

When Alice wants to send a message

letusfly

to Bob, she first changes the plaintext into elements in (Z26)2 as follows (or

we can say that the plaintext is divided into blocks of size 2):

(11, 4), (19, 20), (18, 5), (11, 24).


Then she computes the ciphertext as follows:

(11, 4)K = (3, 12)

(19, 20)K = (9, 6)

(18, 5)K = (5, 23)

(11, 24)K = (11, 22)

So the ciphertext is

DMJGFXLW

Bob can find from K that

K−1 =

(7 1823 11

).

So he can decrypt the cipher and obtain the original message.

The Hill Cipher can be difficult to break with a ciphertext-only attack.However, it succumbs easily to a known plaintext attack. It involves solvinglinear equations. In Example 2.6.2, if Oscar knows both the plaintext andciphertext, then he knows that(

11 418 5

)K =

(3 125 23

).

He can then compute that(11 418 5

)−1

=

(15 1424 7

).

Therefore he obtains

K =

(15 1424 7

)(3 125 23

).

The Hill Cipher is not a monoalphabetic encryption system. In the aboveexample, there are two “l” in plaintext. They are encrypted to differentcipher text “D” and “L”.

Remark 2.6.1 From the attack of the Hill Cipher we learnt that if there aresome “linear relationship” between plaintext and ciphertext, then the cryp-tosystem is not secure.

2.7. STREAM CIPHER 29

2.7 Stream Cipher

The cryptosystems we studied so far are called block cipher. In a block cipher,each element of a plaintext is using a same key K, thus the ciphertext stringof x = x1x2 · · · is

eK(x1)eK(x2) · · · .

Stream Ciphers use a series of different keys instead of one key. In aStream Cipher, we will use a key stream: z = z1z2 · · · to encrypt a plaintext.So the ciphertext will be

y = y1y2 · · · = ez1(x1)ez2(x2) · · · .

To set up a Stream Cipher, the main problem is how to generate the keystream. There are several different types of Stream Ciphers. When thekey stream is related to the plaintext, the cipher is called non-synchronouscipher. If the key stream is independent from the plaintext, then it is calledsynchronous cipher. A stream cipher is called periodic if zi+d = zi for somed. A Vigenere Cipher can be thought as a periodic stream cipher.

In general, stream ciphers are faster than block cipher in hardware, andhave less complex hardware circuitry. They are also suitable for the caseswhen buffering is limited or when characters must be individually processedas they are received. A stream cipher may also used when transmission errorsare highly probable, since they have less or no propagation. We will discussthis a little more in the next chapter.

Now let us consider some examples of stream cipher. The stream cipherdefined in Figure 2.10 is a non-synchronous cipher called Autokey Cipher.

For example, suppose the plaintext is

networksecurity.

The corresponding numbers are

13 4 19 22 14 17 10 18 4 2 20 17 8 19 24.

Suppose we choose K = 5. Then z1 = 5, z2 = x1 = 13, z3 = x2 = 4 · · ·. Sothe result numbers are

18 17 23 15 10 5 1 2 22 6 22 11 25 1 17.


Let P = C = K = Z26. For a K ∈ K, let z1 = K and zi = xi−1, fori ≥ 2. Define

ez(x) = x+ z mod 26

anddz(y) = y − z mod 26

Figure 2.10: Autokey Cipher

The cipher text is

SRXPKFBCWGWLZBR.

To decrypt the ciphertext, Bob first uses K = 5 to find the first letter ofthe plaintext n. Then he uses n as a key to find the second letter e, etc.

Of course, the autokey cipher is insecure since there are only 26 differ-ent keys. The autokey cipher is non-synchronous stream cipher. Next weconsider some synchronous stream ciphers.

First we note that a Vigenere Cipher can been seen as a stream cipher.In this case, the key stream is period, i.e., zi+m = zi. We already have seenthat the Vigenere Cipher can be attacked if the period is not very large.In general, we wish the period of a key stream is very large. The followingmethod can be thought as a generalization of the binary Vigenere Cipher.One advantage of this method is obtaining a long period key stream fromrelatively smaller number of keys.

Let P = C = Z2. Thus we will use binary codes. The encryption anddecryption operations are additions modulo 2:

ez(x) = x+ z mod 2

and

dz(y) = y + z mod 2.

Note that in binary case, x+ z = x− z (1 = −1 (mod 2)). The key streamis formed as follows.

2.7. STREAM CIPHER 31

Suppose the first m keys are (k1, k2, · · · , km), i.e., zi = ki, 1 ≤ i ≤ m. Wealso select m element c0, c1, · · · , cm−1 ∈ Z2. The key stream is generated bylinear recurrence relation of degree m:

zi+m =m−1∑j=0

cjzi+j mod 2.

In general, the period of the key stream is 2m − 1 which is much largerthan 2m (We only selected 2m numbers k1, k2, · · · , km, c0, c1, · · · cm−1 as thekey).

Example 2.7.1 Suppose we choosem = 4 and the first four keys are (1, 0, 1, 0).Let the constants (c0, c1, c2, c3) = (1, 1, 0, 0). Then

zi+4 = zi + zi+1 mod 2.

Therefore the key stream is as follows.

1, 0, 1, 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, · · · .

Another appealing aspect of this method of key stream generation is thatthe key steam can be produced efficiently in hardware using a linear feedbackshift register (LFSR). For example, we can use the LFSR in Figure 2.11 togenerate the key stream in Example 2.7.1, where ⊕ denotes the exclusive-oroperation (XOR). In fact, the key vector (k0, k1, k2, k3) can be any nonzerovector. Note that since x⊕ x = 0 for any x, we can use the same machine todo the encryption and decryption.

��

6

-

?

K1 K2 K3 K4

Figure 2.11: A Linear Feedback Shift Register

There are some methods to attack the LFSR based stream cipher inknown-plaintext level. From plaintext and ciphertext, yi = xi + zi, we knowthat zi = yi−xi. So if we can figure out the parameters c0, c1, · · · , cm−1, thenwe can get the key stream. Note that there are linear relationship between


the values of ci and zj. If we know the value of m, then we can obtain aseries of linear equations about the m unknowns c0, c1, · · · , cm−1. We mightbe able to solve these equations using linear algebra.

Another possible attack for the LFSR and other stream cipher is that iftwo plaintexts used a same key to encrypt, the XOR of the two ciphertextsis the same as the XOR of the two plaintexts. That means Oscar can easilyattack the system if he can choose plaintext.

One common used stream cipher is RC4 which is a stream cipher designedin RSA laboratories by Ron Rivest in 1987. This cipher is widely used incommercial applications including Oracle SQL, Microsoft Windows and theSSL. The algorithm is kept as a trade secret until 1994. The external analysisof RC4 was invoked by the leakage of its source code in 1994 to cypherpunksmailing list. The key stream generated by RC4 is a stream of pseudo-randombytes (8-bit).

In the RC4 algorithm the key stream is completely independent of theplaintext used. So it is a synchronous stream cipher. The RC4 uses a S-vector (S(0), · · · , S(255)), each of the entries is a byte (8 bits). S-vector is apermutation of the numbers 0 to 255, and the permutation is a function ofthe variable length key. There are two counters i, and j, both initialized to0 used in the algorithm.

The S-vector is initialized as S(0) = 0, S(1) = 1, · · · , S(255) = 255.The key length of RC4 can be any number of bytes between 1 to 256.

Another 256 bytes array T is then filled with the key, the key is repeated asnecessary to fill the entire array. So if the key has 256 bytes, then T is sameas the key. If the length of key is 8 bytes, then T contains 32 copies of key,and so on.

The index j is then set to 0. The algorithm in Figure 2.12 is used toinitialize the S-vector. This algorithm does some permutation of the S-vector, which depends on the key (the array T ).

The algorithm in Figure 2.13 is then used to generate a key.K is then XORed with the plaintext to produce the ciphertext. The

operations used in RC4 are additions and swaps. So RC4 is a fast encryptionwhich can be implemented easily by a software. So it has some advantagesthan LFSR which is more efficient using hardware implementation.

RSA claims that the algorithm is immune to differential and linear crypt-analysis (we will discuss these attacks in the next chapter). The algorithmcan also be changed from the 8-bit used above to 16-bit by using a 16-bitword.

2.8. PRODUCT CRYPTOSYSTEMS 33

for i = 0 to 255 doj = (j + S(i) + T (i)) mod 256Swap S(i) and S(j)end for

Figure 2.12: RC4 Key initialization

i = (i+ 1) mod 256j = (j + S(i)) mod 256Swap S(i) and S(j)t = (S(i) + S(j)) mod 256K = S(t)

Figure 2.13: Key stream of RC4

2.8 Product Cryptosystems

Because of the rapid development of computer, the cryptosystem requiresmore complicated encryption functions and larger key spaces. One methodcalled product cryptosystems, innovated by Shannon, is an important ideafor modern cryptosystems. This method allows us to build “large” cryptosys-tems from “small” ones.

Suppose we have two cryptosystems S1 = (P1, C1,K1, E1,D1) and S2 =(P2, C2,K2, E2,D2). If C1 = P2, then the product of S1 and S2, (S1 × S2), isdefined as follows:

(P1, C2,K1 ×K2, E ,D),

where for a key (K1, K2) ∈ K1 ×K2,

e(K1,K2)(x) = eK2(eK1(x))


andd(K1,K2)(y) = dK1(dK2(y)).

The product of cryptosystems is also called a combination of cryptosys-tems. Two cryptosystem can be product if and only if the cipertexts of thefirst system is contained in the plaintexts of the second system. However,sometimes a product of cryptosystems will not result a new crptosystem. Forexample, suppose S1 is a Vigenere Cipher and S2 is a Shift Cipher. ThenS1 × S2 is still a Vigenere Cipher. Only the key is shifted in the productsystem. Therefore such a product is meaningless. In some cases, however,the product of cryptosystems does form a new cryptosystem.

Example 2.8.1 Suppose S1 is a substitution cipher and S2 is a permutationcipher. Then S1×S2 is a new cryptosystem. The key space of the new systemis 26!×m!.

Sometimes one crytosystem combines itself will create a new system. Inthat case, we just need to use the encryption algorithm two times. Thismethod gives us a economical way to enlarge the key space. A cryptosystemS is called idempotent if S×S = S. It is easy to check that the Shift Cipher,the Substitution Cipher, the Hill Cipher, the Vigenere and the PermutationCiphers are examples of idempotent ciphers. The cryptosystem obtainedfrom Example 2.8.1 is not idempotent. If a system S is not idempotent, thenwe can construct a system as follows:

S× S× · · · × S︸︷︷︸n

= Sn,

which is called an iterated cryptosystem. Iterated method is used in modernblock encryption systems.

2.9 Modular Arithmetics

In this section, we display some knowledge of modular arithmetic used inthis chapter.

Definition 2.9.1 Suppose a and b are integers, and m is a positive integer.Then we write a ≡ b (mod m) if m divides b−a. (Equivalently, if a = mt+bfor some integer t).

2.9. MODULAR ARITHMETICS 35

a ≡ b (mod m) is read as “ a is congruent to b modulo m.” The integerm is referred as modulus. The following properties are easy to check.

If x ≡ a (mod m) and y ≡ b (mod m), then x+ y ≡ a+ b (mod m)and xy ≡ ab (mod m).

For example, since 13 ≡ 3 (mod 5) and 7 ≡ 2 (mod 5), we have 13 +7 ≡ 3 + 2 ≡ 0 (mod 5), 13 · 7 ≡ 3 · 2 ≡ 6 ≡ 1 (mod 5).

Suppose m > 1 is an integer. We can assume that the remainder of aninteger a divided by m is b, 0 ≤ b ≤ m − 1, i.e., a ≡ b (mod m), 0 ≤ b ≤m− 1. We say that a is reduced to b modulo m.

We now define arithmetic modulom: Zm is defined to be the set {0, · · · ,m−1}, equipped with operations + and ×. Addition and multiplication work ex-actly like real addition and multiplication, except that the results are reducedmodulo m.

For example, in Z5, we have 2+4 = 1, 3+2 = 0, 2× 4 = 3, 3× 2 = 1, etc.Suppose that a, b, c ∈ Zm. The addition and multiplication in Zm has the

following properties:

1. addition is closed: a+ b ∈ Zm

2. addition is commutative: a+ b = b+ a

3. addition is associative: (a+ b) + c = a+ (b+ c)

4. 0 is an additive identity: a+ 0 = 0 + a = a

5. the additive inverse of a is m− a: a+ (m− a) = (m− a) + a = 0

6. multiplication is closed: ab ∈ Zm

7. multiplication is commutative: ab = ba

8. multiplication is associative: (ab)c = a(bc)

9. 1 is multiplicative identity: a = 1× a = a

10. multiplication distributes over addition: (a + b)c = ac + bc, a(b + c) =ab+ ac.

Properties 1, 3 – 5 say that Zm is a group with respect to the additionoperation. Properties 1 – 10 establish that Zm is a commutative ring. Ringsand groups are useful algebraic structures.


It is not necessary that an element in Zm has a multiplicative inverse. Infact, an element a ∈ Zm has a multiplicative inverse if and only if gcd(a,m) =1. Particularly, for a prime number p, each nonzero element in Zp has amultiplicative inverse. When every nonzero element in a commutative ringhas a multiplicative inverse, it is called a field. Zp is an example of finitefield.

Chapter 3

Modern Block Ciphers

In this chapter, we examine modern conventional cryptosystems. Since theexplosive growth of computer systems, now people have very powerful facil-ities to perform attacks for a cryptosystems. Therefore the modern conven-tional cryptosystems are very complicated.

As a good encryption system, we need to consider both security andefficiency. However, in general there is a trade-off between security and effi-ciency. For example, we already observed that the key space of a cryptosys-tem should be large enough otherwise a key exhausted search can break thesystem. On the other hand, a large key space means more storage space andmore computation time.

Although modern block ciphers are more complicated, we can see thattechniques of classic block ciphers discussed in previous chapter are still used.In this chapter, we mainly discuss two most important block ciphers: DESand AES.

3.1 The Data Encryption Standard

The Data Encryption Standard, or DES, is the most widely used cryptosys-tem in the world. DES was developed at IBM and first published in theFederal Register of March 17, 1975. In 1977, this system was approved asa Federal Information Processing Standard. Although DES now was provedto be insecure and a new encryption standard was announced on November26, 2001 (FIPS PUB 197), DES is still an important modern cryptosystem.

DES is an iterated block cipher. The three operations: XOR, substitution

37

38 CHAPTER 3. MODERN BLOCK CIPHERS

and permutation form the backbone of the encryption.DES encrypts a plaintext bitstring x of length 64 using a key K which

is a bitstring of length 56. The resulting ciphertext is again a bitstring oflength 64.

The algorithm can described as follows:

1. A fixed initial permutation P is use to permuting the bits of the plain-text x. The resulting 64 bitstring is divided into two parts L0 and R0,each comprised 32 bits.

2. 16 iterations of Feistel type cipher are then performed. For 1 ≤ i ≤ 16,LiRi is computed according to the following rule:

Li = Ri−1

Ri = Li−1 ⊕ f(Ri−1, Ki),

where ⊕ denotes the XOR (exclusive-or) of two bitstrings. And

f(Ri−1, Ki) = P (S(E(Ri−1)⊕Ki)),

with the operations E (expansion), S (S-box lookup), and P (permu-tation) discussed later. K1, K2, · · · , K16 are each bitstrings of length 48computed as a function of the key K. The selections of these subkeys,or “key schedule” will be discussed later.

3. Apply the inverse of initial permutation P to R16L16 and obtain theciphertxt.

Figure 3.1 describes the algorithm of DES.The function f(Ri−1, Ki) = P (S(E(Ri−1) ⊕Ki)) works as follows. First

E(Ri−1) expands 32 bits of Ri−1 to 48 bits in a certain way (16 bits appearstwice). The expansion is specified by the following table.

32 1 2 3 4 54 5 6 7 8 98 9 10 11 12 1312 13 14 15 16 1716 17 18 19 20 2120 21 22 23 24 2524 25 26 27 28 2928 29 30 31 32 1

3.1. THE DATA ENCRYPTION STANDARD 39

P

input

L0

−1P

output

L16R16

K16

f

R15L15

f

K2

R1L1

K1

f

R0

Figure 3.1: The Data Encryption Standard


For a 32-bit string b1b2 · · · b32, the 48-bit output is b32b1b2b3b4b5b4 · · · b1.Then the round subkey Ki and the expanded data are XORed together.

The result is divided into eight 6-bit strings B = B1B2 · · ·B8. These stringsare then passed through the eight “S-boxes” S1, S2, · · · , S8. Each S-box takesinput of six bits and outputs four bits.

The S-boxes are the source of DES’s complexity. We can write an S-boxas a 4× 16 table. The definition of S-boxes are listed in Table 3.1

Suppose the input is b1b2b3b4b5b6. The bits b1, b6 determine the row, whilethe bits b2, b3, b4, b5 determine the column. The output is the entry in theintersection. Note that each possible four-bit entry 0, · · · , 15 appears in eachrow of the S-box output. For example, suppose the input of S2 is 111010.Then b1b6 = 10 which is 2 in decimal and b2b3b4b5 = 1101 which is 13 indecimal. Therefore the output is 0011 (number 3).

Finally, the total 32-bit output is permuted according to a fixed permu-tation P described as follows.

16 7 20 21 29 12 28 171 15 23 26 5 18 31 102 8 24 14 32 27 3 919 13 30 6 22 11 4 25

The f function is depicted in Figure 3.2

Now we need to describe the computation of key schedule from the keyK. Actually, K is a bitstring of length 64, but only 56 bits are used. Theother 8 bits are used for parity-check (for error-detection). Thus the size ofkey space is 256. The 56 bits are chosen as follows.

1 2 3 4 5 6 7 89 10 11 12 13 14 15 1617 18 19 20 21 22 23 2425 26 27 28 29 30 31 3233 34 35 36 37 38 39 4041 42 43 44 45 46 47 4849 50 51 52 53 54 55 56

The 56-bit key is permuted according to the follow table of permuted

3.1. THE DATA ENCRYPTION STANDARD 41

S1 =

14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 70 15 7 4 14 2 13 1 10 6 12 11 9 5 3 84 1 14 8 13 6 2 11 15 12 9 7 3 10 5 015 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

S2 =

15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 103 13 4 7 15 2 8 14 12 0 1 10 6 9 11 50 14 7 11 10 4 13 1 5 8 12 6 9 3 2 1513 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9

S3 =

10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 813 7 0 9 3 4 6 10 2 8 5 14 12 11 15 113 6 4 9 8 15 3 0 11 1 2 12 5 10 14 71 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12

S4 =

7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 1513 8 11 5 6 15 0 3 4 7 2 12 1 10 14 910 6 9 0 12 11 7 13 15 1 3 14 5 2 8 43 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14

S5 =

2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 914 11 2 12 4 7 13 1 5 0 15 10 3 9 8 64 2 1 11 10 13 7 8 15 9 12 5 6 3 0 1411 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

S6 =

12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 1110 15 4 2 7 12 9 5 6 1 13 14 0 11 3 89 14 15 5 2 8 12 3 7 0 4 10 1 13 11 64 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13

S7 =

4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 113 0 11 7 4 9 1 10 14 3 5 12 2 15 8 61 4 11 13 12 3 7 14 10 15 6 8 0 5 9 26 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12

S8 =

13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 71 15 13 8 10 3 7 4 12 5 6 11 0 14 9 27 11 4 1 9 12 14 2 0 6 10 13 15 3 5 82 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11

Table 3.1: S-boxes of DES


��

l

��?

XXXXXXXXXXXz

��

��

?

? ? ? . ? ? ? ?

BBBBN

BBBBN

CCCCW ? ?

��

��

��

?

?

?

?

Ri−1 Ki

E

E(Ri−1)

+

B1 B2 B3 B4 B5 B6 B7 B8

S1 S2 S3 S4 S5 S6 S7 S8

C1C2C3C4C5C6C7C8

P

f(Ri−1, Ki)

Figure 3.2: The DES f function

choice one (PC-1):

57 49 41 33 25 17 91 58 50 42 34 26 1810 2 59 51 43 35 2763 55 47 39 31 23 157 62 54 46 38 30 2214 6 61 53 45 37 2921 13 5 28 20 12 4

Then the 56-bit is split into two 28-bit halves and each half rotated(shifted) one or two bits each round (one bit in rounds 1, 2, 9 and 16; twobits otherwise). In each round, the two halves are put back together, andthen 48 particular bits are chosen and put in the order as follows (PC-2):

3.2. ATTACKS ON DES 43

14 17 11 24 1 53 28 15 6 21 1023 19 12 4 26 816 7 27 20 13 241 52 31 37 47 5530 40 51 45 33 4844 49 39 56 34 5346 42 50 36 29 32

So the 14th bit is put in the first place, 17th bit is put in second place, etc.The output is the round key.

Decryption is done using the same algorithm as encryption, starting withgrouping ciphertext into 64-bit strings. This is one advantage of the Feisteltype cipher. Note that the DES algorithm has the following properties:

Ri−1 = Li

Li−1 = Li−1 ⊕ f(Ri−1, Ki)⊕ f(Ri−1, Ki)= Ri ⊕ f(Ri−1, Ki)

Therefore using the key schedule K16, · · · , K1 in reverse order, the outputwill be the plaintext.

DES can be implemented very efficiently, either in hardware or in soft-ware.

3.2 Attacks on DES

When DES was proposed as a standard, there was considerable criticism andquickly followed by attacks. Some researchers objected to the system’s smallkey space. There were even rumours that NSA (National Security Agency)had pressed for shorter key length. Another objection to DES concernedthe S-boxes. Several people have suggested that the S-boxes might containhidden “trapdoors” which would allow the NSA to decrypt messages. Therehave been many attacks to DES. Most of them are known plaintext attacksor chosen-plaintext attacks.

One well-known attack on DES is the method called differential crypt-analysis introduced by Biham and Shamir. Although the S-boxes have bal-anced output (each possible output appears four times, once in each row),


the output of differences of inputs has an uneven distribution. More pre-cisely, suppose (B1, B

′1), (B2, B

′2), · · · , (B64, B

′64) are 64 pairs in (Z2)

6 suchthat Bj ⊕ B′

j = Bi ⊕ B′i for each 1 ≤ i ≤ j ≤ 64 (the pairs with same differ-

ence). Then the “differences” of the output of the S-box S(Bi)⊕S(B′i) have

non-uniform distributions. Therefore we are able to find the differences ininput pairs that have high probability of causing certain differences in outputpairs in an iterate round. From this fact, we can get some information aboutthe key from a chosen-plaintext attack. We will not discuss the details ofdifference cryptanalysis here, but mention that Biham and Shamir indicatedin 1990 that using difference cryptanalysis requires only 247 inputs, fewerthan the 256 that required by key exhaustive search.

Another method used to attack DES is called linear cryptanalysis dis-covered by Matsui. This attack examines sums of plaintext and ciphertextbits to reveal information about sums of key bits. Here “sum” means XORs.Matsui’s known-plaintext attack on DES required studying 243 encryptedtexts.

Although the difference cryptanalysis and linear cryptanalysis do notbreak DES, these attacks are very important. These attacks actually workagainst any block cipher.

On the other hand, people tried to construct efficient key exhaustivesearch machine to break DES. In 1998, the Electronic Frontier Foundation(EFF) built “DES Craker” using custom-designed chips and a personal com-puter. Costing less than $ 250,000 and taking less than a year to build, theDES Craker broke a message in 56 hours. In 1999, this result was improvedto 22 hours using a combination of 100,000 networked PCs and the EFFmachine.

3.3 DES Modes and Triple-DES

DES has had a wide applications in the world. To apply DES in a varietyof applications, four modes have been developed (FIPS PUB 81). Anothermode is included in NIST (National Institute of Standards and Technology)Special Publication 800-38A. In this section, we give a brief description forthese modes. Note that these modes are allocatable for other block cipherssuch as AES which we will discuss later.

ECB (Electronic Codebook mode): ECB mode corresponding to theusual use of a block cipher. The plaintext are grouped into blocks of 64-bit

3.3. DES MODES AND TRIPLE-DES 45

and each block is encrypted with the same key K.CBC (cipher block chaining mode): In CBC mode, each ciphertext block

yi is XORed with the next plaintext block xi+1 before xi+1 being encryptedby the key K. An initialized vector IV = y0 is chosen before encryption.This mode is used some idea similar to the autokey cipher. Using this mode,the encryption can be described as follows.

y1 = eK(y0 ⊕ x1),y2 = eK(y1 ⊕ x2),· · · · · ·yn = eK(yn−1 ⊕ xn).

The decryption of CBC mode is as follows.

x1 = dK(y1)⊕ y0,x2 = dK(y2)⊕ y1,· · · · · ·xn = dK(yn)⊕ yn−1.

CFB (Cipher Feedback mode): In CFB mode, we start with an initial-ization vector y0 =IV and produce the key stream zi = eK(yi−1), i ≥ 1. Theciphertext blocks are yi = xi ⊕ zi, i ≥ 1. So the encryption is as follows.

y1 = x1 ⊕ eK(y0),y2 = x2 ⊕ eK(y1),· · · · · ·yn = xn ⊕ eK(yn−1).

In this mode, we do not use the decryption function to decrypt a ciphertext:

x1 = y1 ⊕ eK(y0),x2 = y2 ⊕ eK(y1),· · · · · ·xn = yn ⊕ eK(yn−1).

OFB (Output Feedback mode): In OFB mode, let z0 =IV be an initial-ization vector. The key stream is zi = eK(zi−1), i ≥ 1 and the ciphertextblocks are yi = xi ⊕ zi, i ≥ 1. The OFB mode is similar to a synchronousstream cipher.


CTR (Counter mode): In CTR mode, a counter c is selected, whichhas the same size of a plaintext block (64-bit in DES). The encryption is asfollows.

y1 = x1 ⊕ eK(c),y2 = x2 ⊕ eK(c+ 1),· · · · · ·yn = xn ⊕ eK(c+ n− 1).

In DES, the size of blocks in both plaintext and cyphertext is 64-bit.However, when we use CFB, OFB or CTR mode, the block size of plaintextcan be any number less than or equal to 64-bit. For example, if there isa plaintext block with 16-bit in CFB mode, then the encryption can beyi = xi⊕ s16(zi), where sj(zi) means the j most significant bits of zi. In thisway, we can avoid to add padding to the plaintext.

The different modes of operations have different advantages and disad-vantages. ECB is usually used for encrypting short message. In ECB andOFB modes, changing one plaintext block only causes the changing the cor-responding ciphertext block. Other ciphertext blocks will not be effected.This property is desired for transmission over noisy channel (e.g., satellitecommunication). However, in ECB mode same plaintext blocks will producesame ciphertext blocks, so one might find some patterns in the ciphertext ifsame blocks repeat several times in a long plaintext.

On the other hand, if a plaintext block is changed in CBC and CFBmodes, then the according ciphertext block and all subsequent ciphertextblocks will be affected. This property makes CBC and CFB useful for pur-poses of authentication. We will discuss message authentication code later.

CFB, OFB and CTR modes use encryption function for both encryptionand decryption, that simplifies the cryptosystem. However, CTR can doparallel encryptions, i.e., several blocks can be encrypted at the same time.But CFB and OFB modes only can do sequential encryptions.

Since there are serious concern about the key size of DES, we will thinkabout using product of DES to enlarge key space. It was proved in 1992 thatDES is not idempotent. So we can try to use the product method for DES.

First we will try to use double DES. So we may choose two keys K1 andK2 to encrypt a plaintext block x as follows

y = eK2(eK1(x)).

3.4. THE ADVANCED ENCRYPTION STANDARD 47

However, there is a method called meet-in-the-middle attack to break thissystem. Let

m = eK1(x) = dK2(y).

Then we can perform known-plaintext attack as follows. Suppose we knowthe values of x and y. First we use 256 keys to encrypt the plaintext xand store these values (sorted) in a table. Then we use 256 possible keys todecrypt the ciphertext y and check with the table. In this way we might findm and the two keys. Because there are efficient sort and search algorithms,the double DES dose not give much improvement to the DES.

Next we consider triple DES. An obvious way is to use three keys andthree rounds. In 1979, Tuchman proposed a triple encryption method thatuses only two keys as follows:

y = eK1(dK2(eK1(x))).

Triple DES with two keys has been adopted for use in the key managementstandards. One advantage of using dK2 instead of eK2 is that if we let K2 =K1, then the triple DES can be used as single DES:

y = eK1(dK1(eK1(x))) = eK1(x).

There is also triple DES with three keys defined as follows.

y = eK3(dK2(eK1(x))).

Three-key triple DES are applied in some internet-based applications.Although triple DES has larger key space, its running time is also tripled.Another disadvantage for 3-DES is that its block size is 64-bit. For thesecurity reason, larger block size is desired.

3.4 The Advanced Encryption Standard

The National Institute of Standards and Technology (NIST) announced theAdvanced Encryption Standard (AES) on November 26, 2001 (FIPS PUB197, see http://cscr.nist.gov/publications/). As the successor of DES,AES applies a much larger key space. AES has three settings. The Key-Block-Round combinations of this standard are as in Figure 3.3


Key Length Block Size Number ofRounds

AES-128 128 bits 128 bits 10AES-192 192 bits 128 bits 12AES-256 256 bits 128 bits 14

Figure 3.3: Key-Block-Round Combinations

AES was developed by two Belgian cryptographers Joan Daemen andVincent Rijmen. This cryptosystem relies more directly on algebraic con-structions than do the other modern cryptosystems. The original cryptosys-tem proposed by Daemen and Rijmen (They call it Rijndael) allowed threedifferent block size. The AES used the fixed 128-bit block to simplify thesystem.

In Section 2.2 we defined commutative ring. If any non-zero element ina commutative ring has a multiplicative inverse, then the ring is a field. Afield with finite elements is called a finite field or Galois field, and denotedas GF (q), where q is the number of the elements. The following theorem iswell-known (see Section 3.6 for more materials about finite fields).

Theorem 3.4.1 A GF (q) exists if and only if q is a power of prime.

AES uses GF (28) (with irreducible polynomial x8+x4+x3+x+1 which

determines the operations in GF (28)) in which each element can be expressed

as a byte (8-bit string). In AES, the 128 bits of plaintext block is written

as 16 bytes and is placed in a 4 × 4 array of elements of GF (28) as follows

(arranged column by column).

in0 in4 in8 in12

in1 in5 in9 in13

in2 in6 in10 in14

in3 in7 in11 in15

For convenience, a byte is also expressed using hexadecimal notations.The hexadecimals are denoted as {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f}. One

3.4. THE ADVANCED ENCRYPTION STANDARD 49

byte can be written as two hexadecimals. For example, a byte {10110101}can be written as {b5} (1011 and 0101).

AES is also an iterated cryptosystem. AES does not use a Feistel struc-ture. So it put whole block, not half block, to S-boxes. In this way, a inversealgorithm, decryption algorithm, must be provided.

In the encryption algorithm of AES, each round consists of four opera-tions (transformations): SubBytes, ShiftRows, MixColumns and AddRound-Key (the last round skips the MixColumn operation).

The SubBytes transformation is a non-linear substitution using a substi-tution table (S-box). The S-box of transformation is presented in hexadeci-mal form as in Figure 3.4.

63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 1504 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 7509 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 8453 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cfd0 ef aa fb 43 4d 33 85 45 fa 02 7f 50 3c 9f a851 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 7360 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b dbe0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9ee1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16

Figure 3.4: S-Box in AES

Suppose a byte in the input array is 01011010. Then we can write it astwo hexadecimals 5a (0101 and 1010). The output is the element in 5th rowand ath column in the table, i.e., be. So the output is 10111110. Differentfrom DES’s S-boxes, this S-box is formed by algebraic operations. First eachinputted element is replaced by its multiplicative inverse in GF (28) (while 00is mapped to its self). Then the array undergoes a fixed affine transformation.


This transformation can be described as follows. Suppose the inverse of theelement is b7b6b5b4b3b2b1b0 and the output is b′7b

′6b

′5b

′4b

′3b

′2b

′1b

′0. Then

b′0b′1b′2b′3b′4b′5b′6b′7

=

1 0 0 0 1 1 1 11 1 0 0 0 1 1 11 1 1 0 0 0 1 11 1 1 1 0 0 0 11 1 1 1 1 0 0 00 1 1 1 1 1 0 00 0 1 1 1 1 1 00 0 0 1 1 1 1 1

b0b1b2b3b4b5b6b7

⊕

11000110

Note that the computation of the above equation is in Z2.

In the ShiftRows transformation, the operation cyclically shifts the ele-ments of the ith row of the array i elements to the right, where i = 0, 1, 2, 3.After ShifRows, the block looks as follows.

in0 in4 in8 in12

in5 in9 in13 in1

in10 in14 in2 in6

in15 in3 in7 in11

The MixColumns transformation operates on the input column-by-column.Suppose the input column is

S0

S1

S2

S3

Then the outputS ′0

S ′1

S ′2

S ′3

are as follows.

S ′0 = ({02} · S0)⊕ ({03} · S1)⊕ S2 ⊕ S3

S ′1 = S0 ⊕ ({02} · S1)⊕ ({03} · S2)⊕ S3

S ′2 = S0 ⊕ S1 ⊕ ({02} · S2)⊕ ({03} · S3)

S ′3 = ({03} · S0 ⊕ S1 ⊕ S2 ⊕ ({02} · S3),

3.5. SOME OTHER BLOCK CIPHERS 51

where (·) is the multiplication in GF (28).Finally, the AddRoundKey transformation adds a round key to each col-

umn of the input using bit XOR operation. The size of a round key is 128-bit.We can describe the AES encryption algorithm as follows. Suppose there

are Nr iteration round. Then a key achedule algorithm will create Nr + 1round keys ki, i = 0, 1, · · · , Nr. A block of plaintext will go through thefollowing.

• Add round key using k0.

• From round 1 to round Nr − 1, perform transformations SubBytes,ShiftRows, MixColumns, AddRoundKey using ki, i = 1, · · · , Nr− 1.

• Perform SubBytes, ShiftRows and AddRoundKey using kNr.

The key schedule of AES can be obtained from KeyExpansion() algorithmshown in Figure 3.5, where a byte is a 8-bit string and a word consists 4 bytes.In the algorithm, Nk is the number of words in the key and Nr is the numberof rounds. SubWord() is a function that takes a four-byte input word andapplied the S-box to each of the four bytes to produce an output word. Thefunction RotWord() performs a cyclic permutation on the input four bytes ofa word. The round constant word array, Rcon[i], contains the values givenby [yi, {00}, {00}, {00}], where

yi = 10 · · · 0︸︷︷︸i−1

∈ GF (28)

The decryption algorithm of AES is a straightforward of inverse of theencryption algorithm. We can use the inverted transformations of encryption:InvShiftRows, InvSubBytes, InvMixColumns and AddRoundKey. The detailsof the decryption algorithm is omitted here.

From the algorithms of AES, we can see that AES takes advantage of32-bit processors (while DES is for 8-bit processors). The S-boxes in AESare proved to be good against the differential and linear cryptanalysis. Theimplementation of AES both in hardware and software are efficient.

3.5 Some Other Block Ciphers

In 1997, the National Institute of Standards and Technology (NIST) an-nounced a competition for the algorithm of Advanced Encryption Standard


KeyExpansion(byte key[4 ∗Nk], word w[4(Nr + 1)], Nk)beginword tempi = 0while (i < Nk)

w[i] =word(key[4 ∗ i], key[4 ∗ i+ 1], key[4 ∗ i+ 2], key[4 ∗ i+ 3])i = i+ 1

end whilei = Nkwhile (i < 4(Nr + 1))

temp = w[i− 1]if (i (mod Nk) = 0)temp = SubWord(RotWord(temp)) ⊕ Rcon[i/Nk]

else if (Nk > 6 and i (mod Nk) = 4)temp = SubWord(temp)

end ifw[i] = w[i−Nk]⊕ tempi = i+ 1end while

end

Figure 3.5: Pseudo Code for Key Expansion

(AES) which will replace DES. This time, NIST allowed foreign submissionand foreign viewing of the candidates.

NIST published evaluation criteria for AES candidates. The criteria con-tains 3 parts which can be seen as the requirements for modern block ciphers.

• Security: Randomness of the output, sound mathematical basis andother security considerations.

• Cost: Computational efficiency, memory requirement.

• Algorithm and implementation characteristics: Flexibility (keyand block sizes, different platforms and applications, implementations),

3.5. SOME OTHER BLOCK CIPHERS 53

hardware and software suitability and simplicity.

AES candidates were due June 15, 1998. Of the twenty-one submissions,fifteen met NIST’s criteria. In August 1999, NIST announced the five finalcandidates. One of the five finalist, Rijndael, was selected to be AES in 2001.

Now we briefly describe the other four final candidates.MARS is developed by IBM, which breaks the 128-bit input block into

four 32-bit words. MARS uses 32-round unbalanced Feistel type algorithm.In each of these rounds MARS uses two S-boxes with one distinguished word.The S-boxes used in MARS were built using some hash function applied tosome fixed constant.

RC6 is developed by RSA Security Inc., which is modified from RC5.The structure of RC6 is simpler than others. Basically, the algorithm usesXOR, addition and rotation operations. RC6 operates on four 32-bit wordsand treats these words in pairs. RC6 uses 20-round cipher. In each round,data-dependent rotations are used for the cryptographic complexity (insteadof using S-boxes).

Twofish was proposed by Counterpane Systems, a U.S.A. based cryp-tographic consulting firm. Twofish uses 16-round Feistel algorithms. The128-bit input is broken into four 32-bit words. In each round, four distinctS-boxes are used. These S-boxes (8-bit to 8-bit) are key dependent, which isdifferent from S-box in other systems. Twofish also uses matrix multiplica-tion, addition and rotation in a round.

Serpent was created by three cryptographers from the United Kingdom,Israel, and Denmark. Serpent contains a 32-round algorithms. Each roundconsists of XORing the key and input, a pass through S-boxes, and a linearfunction that combines fixed rotations and XOR. 32 identical S-boxes (4-bitto 4-bit) are used in a round (but different round uses different ones).

There are also several encryption systems used or still used in internet.We simply list them as follows without details for references.

IDEA (International Data Encryption Algorithm) was developed by Xue-jia Lai and James Massey of the Swiss Federal Institute of Technology. IDEAuses a 128-bit key and encrypts data in blocks of 64 bits.

Blowfish was developed by Bruce Schneier. Blowfish uses a key rangedfrom 32 bits to 448 bits and encrypts blocks of 64 bits.

RC5 was developed by Ron Rivest. The key range of RC5 is from 0 to2040 bits. The length of a data block is 32, 64 or 128.

CAST-128 was developed by Carlisle Adams and Stafford Tavares. The


key size of CAST varies from 40 bits to 128 bits in 8-bit increments. Thelength of a block is 64 bits.

RC2 was also developed by Ron Rivest. The key range of RC2 is from 8to 1024 bits. The length of a data block is 64.

3.5.1 CMVP

The Cryptographic Module Validation Program (CMVP) is a joint Ameri-can and Canadian security accreditation program for cryptographic modules.The program is available to any vendors who seek to have their productscertified for use by the U.S. Government and regulated industries (such asfinancial and health-care institutions) that collect, store, transfer, share anddisseminate ”sensitive, but not classified” information. All of the tests underthe CMVP are handled by third-party laboratories that are accredited asCryptographic Module Testing Laboratories by the National Voluntary Lab-oratory Accreditation Program (NVLAP). Product certifications under theCMVP are performed in accordance with the requirements of FIPS 140-2.

The Government of Canada also recommends the use of FIPS 140 vali-dated cryptographic modules in unclassified applications of its departments.

The CMVP was established by the U.S. National Institute of Standardsand Technology (NIST) and the Communications Security Establishment(CSE) of the Government of Canada in July 1995.

3.6 Finite Fields

We already defined finite fields in Section 2.9. As examples, we have seen thatZp is a finite fields. For the existence of finite fields, we have the followingtheorem.

Theorem 3.6.1 There exists a finite field of order m if and only if m = pn,where p is a prime number and n is a positive integer.

A finite field with pn elements is called Galois field denoted by GF (pn).A GF (p) for a prime p is equivalent to Zp. A GF (pn), n > 1, can be builtfrom GF (p) using an irreducible polynomial of degree n on GF (p). In thefollowing, we briefly discuss the structure of GF (pn).

3.6. FINITE FIELDS 55

A polynomial of degree n on GF (p) can be expressed as:

P (x) = anxn + an−1x

n−1 + · · ·+ a1x+ a0 =n∑

i=0

aixi

where 0 ≤ ai ≤ p − 1, an = 0 (or we say that ai ∈ GF (p), an = 0). Thepolynomial P (x) is irreducible if P (x) cannot be written as a product of twopolynomials with both of degree less than n.

For two polynomials, we can define addition and multiplication.

Example 3.6.2 Suppose P1(x) = x3 + x2 + 1, P2(x) = x3 + x + 2 are twopolynomials defined on GF (3). Then

P1(x) + P2(x) = 2x3 + x2 + x

andP1(x)P2(x) = x6 + x5 + x4 + x3 + 2x2 + x+ 2.

Note that the coefficients are computed in GF (3).

It is not difficult to verify that the polynomials defined on GF (p) is acommutative ring under the polynomial addition and multiplication. Nowwe define modular polynomial arithmetic. Suppose m(x) is a polynomialdefined on GF (p). Now for a polynomial P (x) on GF (p), if

P (x) = q(x)m(x) + r(x)

where the degree of r(x) is lower than m(x), then we write

P (x) ≡ r(x) mod m(x),

and say that P (x) is congruent to r(x) modulo m(x).All the polynomials defined on GF (p) with polynomial addition and mul-

tiplication reduced by m(x) form the modular polynomial arithmetic onGF (p) with modulus m(x). In fact, in that modular polynomial arithmetic,the degree of each polynomial is less than the degree of m(x). The additionis just the polynomial addition over GF (p). The result of the multiplicationof two polynomials is reduced by m(x).

For a nonzero polynomial P (x), if there is a polynomial f(x) such that

P (x)f(x) ≡ 1 mod m(x),


then we say that f(x) is the multiplicative inverse of P (x) in the modularpolynomial arithmetic and sometimes denote it as f(x) = P−1(x). Obviously,0 and 1 are the additive identity and multiplicative identity, respectively, inthe modular polynomial arithmetic. It is not difficult to check that themodular polynomial arithmetic is a communicative ring.

It can be proved that if m(x) is an irreducible polynomial, then everynonzero element in the modular polynomial arithmetic has multiplicationinverse. Therefore it becomes a finite field of order pn.

Now we can construct the GF (28) used in AES. The following irreduciblepolynomial defined on Z2 is used to construct the finite field:

m(x) = x8 + x4 + x3 + x+ 1.

Each element in GF (28) can be expressed as a polynomial or a 8-bitbinary string. For example the following notations are used to denote thesame element of GF (28).

x6 + x4 + x2 + x+ 101010111

Suppose there is another element x7 + x4 + x (10010010). The addition inthat field is simple.

(x6 + x4 + x2 + x+ 1) + (x7 + x4 + x) = x7 + x6 + x2 + 1.

Note that in binary notation, the addition is simply XOR:

(01010111)⊕ (10010010) = 11000101.

The multiplication in GF (28) is a little complicated. But there is still anefficient way to do that. Note that

x8 ≡ x4 + x3 + x+ 1 mod m(x).

Suppose an element in GF (28) is P (x) =∑7

i=0 bixi, where bi = 0 or 1, i =

0, 1, · · · , 7. Then

xP (x) =7∑

i=0

bixi+1

≡{ ∑6

i=0 bixi+1 if b7 = 0,

(∑6

i=0 bixi+1) + x4 + x3 + x+ 1 if b7 = 1.

3.6. FINITE FIELDS 57

Using the binary notation, this operation can be expressed as:

xP (x) =

{b6b5b4b3b2b1b00 if b7 = 0,(b6b5b4b3b2b1b00)⊕ (00011011) if b7 = 1.

So to compute xP (x), we just need to do a shift and an XOR. Repeat i timesof these operations we get xiP (x). Basically, we can use shifts and XORs todo the multiplications in GF (28).


Chapter 4

Public Key Encryption

In a conventional cryptosystem, Alice and Bob need a secret channel todistribute a key. This usually can be done by physically delivered from Aliceto Bob or a third party decides and sends the key to both Alice and Bobsecretly.

Now let us consider the communications at a network. Suppose there areN hosts on the net. Then each pair of users requires a secret key. So thenumber of keys required by the system is N(N − 1)/2 and every user needsto store N − 1 keys. How to distribute and restore these secret keys is a bigproblem because the number of users in the internet is huge.

One method can be used to reduce the number of keys is to establisha key distribution centre (KDC) on the net. Let each host have a (secret)master key with the KDC. So there are only N keys need to be distributed.When a host i wants to communicate to a host j, the KDC sends a sessionkey to i and j by request. Since the KDC knows the hosts’ master keys,the session key can be encrypted by using i and j’s master keys. After iand j received the encrypted session key, they can perform the decryptionand then use the session key as their shared secret key. However, in thiscase there are still N secret master keys to be distributed through secretchannels and the existence of KDC is not satisfied by privacy. In fact, inmany circumstances KDC is not adoptable. That gives us a question: Canwe create an encryption system that does not require to distribute secretkeys? This is why people invent public key cryptosystems.

59

60 CHAPTER 4. PUBLIC KEY ENCRYPTION

4.1 Some Math Facts in Number Theory

Before introduce public-key cryptosystems we need to review some mathe-matical facts, since public-key systems rely on more mathematics.

The following facts can be found in any number theory text book. Wewill just list these facts without proofs.

A prime number is a positive integer which only has positive divisors 1and itself. Any positive integer a can be uniquely written in a product ofprimes:

a =∏

pαp , αp ≥ 0, p primes.

We use gcd(a, b) to denote the greatest common divisor of integers a and b.Then we say that a pair of integers a and b are relatively prime ( or coprime)if gcd(a, b) = 1. For an integer n, define Euler’s totient function ϕ(n) to bethe numbers of positive integers which are less than n and relatively primeto n. For examples, ϕ(6) = 2, ϕ(7) = 6 and ϕ(12) = 4. It is easy to see thatfor a prime p, ϕ(p) = p− 1 because each positive number which is less thenp is coprime with p. The following fact will be useful: If p and q are differentprimes, then ϕ(pq) = (p − 1)(q − 1) = pq − p − q + 1. This comes from thefact that the positive integers which are less than pq and not coprime to pqare 1 · p, 2 · p, · · · , (q − 1) · p, 1 · q, 2 · q, · · · (p− 1) · q.

The following theorem is called Euler’s Theorem.

Theorem 4.1.1 Suppose positive integers m and a are relatively prime, then

aϕ(m) ≡ 1 (mod m).

Since ϕ(6) = 2 and ϕ(12) = 4, we have 52 ≡ 1 (mod 6) and 74 ≡ 1(mod 12) by Theorem 4.1.1.

If p is a prime, then we mentioned that ϕ(p) = p− 1. Therefore we havethe following Fermat’s Theorem from Theorem 4.1.1.

Theorem 4.1.2 If p is a prime and a is a positive integer, then

ap ≡ a (mod p).

4.1. SOME MATH FACTS IN NUMBER THEORY 61

To find the greatest common divisor of two integers r0 and r1, we can usethe Euclidean algorithm described as follows.

r0 = q1r1 + r2, 0 < r2 < r1r1 = q2r2 + r3, 0 < r3 < r2· · · · · · · · ·rm−2 = qm−1rm−1 + rm, 0 < rm < rm−1

rm−1 = qmrm.

Then gcd(r0, r1) = rm. Note that r1 > r2 > r3 · · · , so rm ≥ 1 must exist.gcd(r0, r1) = rm follows from the fact that gcd(r0, r1) = gcd(r1, r2) =

· · · = gcd(rm−1, rm) = rm.For example, we want to find gcd(75, 28), then we can compute as follows

75 = 2 · 28 + 1928 = 1 · 19 + 919 = 2 · 9 + 19 = 9 · 1

So gcd(75, 28) = 1.For b ∈ Zm, if gcd(b,m) = 1 then b−1 (multiplicative inverse) exists. We

can use Euclidean algorithm to compute b−1 efficiently.We first need the following theorem which can be proved by induction on

j.

Theorem 4.1.3 For 0 ≤ j ≤ m, let t0 = 0, t1 = 1, tj = tj−2 − qj−1tj−1

(mod r0), j ≥ 2, where qj, rj are defined as in the Euclidean algorithm. Then

rj ≡ tjr1 (mod r0).

When gcd(r0, r1) = 1, we have rm = 1. Therefore from this theorem wehave the following corollary.

Corollary 4.1.4 Suppose gcd(r0, r1) = 1. Then tm = r−11 (mod r0).

Combine the Euclidean algorithm and the above results, we obtain anextended Euclidean algorithm which can be used to find the inverse in Zm.In Figure 4.1 we display the algorithm which compute b−1 (mod n). In thealgorithm, ⌊x⌋ means the greatest integer which is less than or equal to x.


n0 = nb0 = bt0 = 0t = 1q = ⌊n0

b0⌋

r = n0 − q × b0while r > 0 do

temp = t0 − q × t mod nt0 = tt = tempn0 = b0b0 = rq = ⌊n0

b0⌋

r = n0 − q × b0end doif b0 = 1 then

b has no inverse modulo nelse

b−1 = t mod n

Figure 4.1: Extended Euclidean algorithm for b−1 (mod n)

Using the Extended Euclidean algorithm, we can find that 28−1 (mod 75) =67. The parameters in the algorithm are changed as follows.

n0 b0 t0 t q r temp75 28 0 1 2 1928 19 1 73 1 9 7319 9 73 3 2 1 39 1 3 67 9 0 67

4.2. RSA PUBLIC-KEY SYSTEM 63

4.2 RSA Public-key System

In a public-key encryption system (PKS), the encryption key and the de-cryption key are different. The encryption key is public so that other peoplecan use this key to encrypt texts. The decryption key is kept in secret. Soonly the person has the decryption key can decrypt cipher texts.

The basic idea of PKS is that the encryption function eK(x) is a “one-way” function which means that from eK it is difficult to find the inverse ofeK (i.e., dK).

In a PKS, Alice has two keys: one public key and one private key. Alicepublishes the public key (and the encryption algorithm) so that anyone canuse that key to encrypt messages. The encryption function is a one-wayfunction, so it is difficult to find the decryption method by the knowledgeof public key and encryption algorithm. But the inverse of the encryptionfunction can be easily found if the private key is known. So only Alice is ableto decrypt the ciphertext.

RSA was invented by Rivest, Shamir and Adleman in 1977. The securityof RAS is based on the difficulty of factoring large integers (but it is easy toproduct integers). The description of RSA is in Figure 4.2

Let n = pq, where p and q are primes. Let P = C = Zn and define

K = {(n, p, q, a, b) : n = pq, ab ≡ 1 mod ϕ(n), p, q primes}.

For K = (n, p, q, a, b), define

eK(x) = xb mod n

anddK(y) = ya mod n

(x, y) ∈ Zn. The values n and b are public, and the values p, q, a aresecret.

Figure 4.2: RSA Cryptosystem


In the system the pair (n, b) is the public-key, while (p, q, a) is the privatekey.

The encryption algorithm only uses the public-key, but the decryptionneeds the private key. Since ab ≡ 1 (mod ϕ(n)), we have

dK(eK(x)) = (xb)a = xab ≡ x (mod n)

by Euler’s theorem.Note that ϕ(pq) = (p− 1)(q− 1) because p, q are primes. If Oscar knows

p, q, then he can easily compute a from ab ≡ 1 (mod (p− 1)(q− 1)) by ex-tended Euclidean algorithm. For this reason, the number of p and q shouldbe very large so that pq is difficult to be factored. Current factoring algo-rithms are able to factor numbers having up 130 decimal digits. Hence it isrecommended that one should choose both p and q to be more than 150 dec-imal digits (so n will be more than 300 decimal digits). Currently, RSA usesbinary version of primes with 512 bits. However, some people recommend touse 1024-bit primes. We will expect to use larger primes when the computeris faster.

Now we consider the implementation of RSA. To establish an RSA sys-tem, we need the following algorithms.

1. Generate large primes p and q.

2. Compute n = pq and ϕ(n) = (p− 1)(q − 1).

3. Choose a random number b, 0 ≤ b ≤ ϕ(n) such that gcd(b, ϕ(n)) = 1.

4. Compute a ≡ b−1 (mod ϕ(n)).

5. Compute xb (mod n) and ya (mod n).

Using Euclidean algorithm and its extension, we can get most of the abovealgorithms except the algorithm of computing xb (mod n) and generatinglarge primes.

To compute xb (mod n), we can use square-and-multiply algorithm.First we write b in its binary version.

b =l−1∑i=0

bi2i, where bi = 0 or 1.

4.2. RSA PUBLIC-KEY SYSTEM 65

z = 1for i = l − 1 downto 0 do

z = z2 mod nif bi = 1 then z = z × x mod n

end do

Figure 4.3: The square-and-multiply algorithm

So b is of length l in its binary expression. Then we can use the algorithmdisplayed in Figure 4.3.

In the square-and-multiply algorithm l ≈ log2 b. So this algorithm per-forms about 2 log b times multiplication which is much efficient than b timesmultiplication.

As an example, let us compute 313 (mod 10). Since the binary versionof 13 is 1101, we have

313 ≡ 323+22+1 (mod 10)

= ((32 · 3)2)2 · 3 (mod 10)

= (72)2 · 3 (mod 10)

= 92 · 3 (mod 10)

= 1 · 3 (mod 10)

= 3 (mod 10).

The square-and-multiply algorithm works in the same way.Next we consider how to find large primes. We will use some Monte Carlo

algorithm to do that.

Definition 4.2.1 A yes-biased Monte Carlo algorithm is a probabilistic al-gorithm for a decision problem in which a “yes” answer is always correct,but a “no” answer may be incorrect. We say that a Monte Carlo algorithmhas error provability ϵ, if the algorithm will give the incorrect answer “no”with probability at most ϵ.

The idea to generate a large prime is to choose a random large numberfirst and then use some Monte Carlo algorithm to test whether that number


is a prime. There are several Monte Carlo algorithms can be used. Here wejust introduce Miller-Rabin algorithm which is described in Figure 4.4

write n− 1 = 2km, where m is oddchoose a random integer a, 1 ≤ a ≤ n− 1compute b = am mod nif b ≡ 1 mod n then

answer “n is prime” and quitfor i = 0 to k − 1 do

if b ≡ −1 mod n thenanswer “n is prime” and quit

elseb = b2 mod n

answer “n is composite”

Figure 4.4: Miller-Rabin primality test algorithm

Miller-Rabin algorithm is a “yes-biased” composite test for odd numbersMonte Carlo algorithm. So if the algorithm answers “n is composite”, thenn must be a composite. This can be proved as follows.

Suppose the answer of the program is “n is composite”. Then from theprogram we know that am ≡ 1 (mod n) and a2

im ≡ −1 (mod n), 0 ≤i ≤ k − 1. However, if n is a prime then an−1 = a2

km ≡ 1 (mod n) byEuler’s Theorem. Therefore (a2

k−1m − 1)(a2k−1m + 1) ≡ 0 (mod n). Since

n is a prime and a2k−1m ≡ −1 (mod n), we must have (a2

k−1m − 1) ≡ 0(mod n). Following this way, finally we will get am− 1 ≡ 0 (mod n) whichis a contradiction.

Using some mathematics, it can be proved that the error probabilityof this algorithm is at most 1/4. So when the algorithm answers “n is aprime”, there is 1/4 probability that n actually is a composite. To reducethe error probability, we can repeat the algorithm several times. Each timethe algorithm uses different random number a. For example, we can chooset random values of a and run the algorithm t times. If the answer is always“n is a prime”, then the probability that n is a composite is (1/4)t. Let t be

4.3. ELGAMAL CRYPTOSYSTEM 67

large enough, then the error probability will be very small.

Lets look at a small example to illustrate the RSA system. Suppose Bobchooses primes p = 101 and q = 113. Then n = 11413 and ϕ(n) = 11200.Bob chooses a random number b = 3533 which is coprime to 11200. Thenb−1 mod 11200 = 6597. Bob publishes n = 11413 and b = 3533. SupposeAlice wants to send Bob a plaintext 9726. She will compute

97253533 mod 11413 = 5761.

and send 5761 to Bob. When Bob receives the ciphertext 5761, he uses hissecret key a = 6597 to decrypt

57616597 mod 11413 = 9726.

4.3 ElGamal Cryptosystem

Another popular public-key system is ElGamal Cryptosystem which is basedon the discrete logarithm problem. Sometimes this cryptosystem is also calledDiffie-Hellman type cryptosystem, because this system is based on some ideafrom Diffie-Hellman key exchange scheme which we will discuss later.

Suppose p is a prime. Then we can find some α ∈ Zp such that eachnumber β ∈ Z∗

p(= Zp\{0}) can be written as β ≡ αa (mod p) for some a,α is called a primitive element of Zp (or equivalently, GF (p)). For example,if p = 7, then α = 3 is a primitive element of Z7. This is because in Z7 wehave:

1 = 36, 2 = 32, 3 = 31, 4 = 34, 5 = 35, 6 = 33.

The discrete logarithm problem is that : In the equation

β ≡ αa (mod p) (β = 1),

find the value of a if β, α and p are known.

There are several methods to attack the discrete logarithm problem. Tothwart known attacks, p should be at least 300 decimal digits, and p − 1should have at least one large prime factor.

The ElGamal system is described in Figure 4.5.

The correctness of the system is easy to check:


Let p be a prime such that the discrete logarithm problem in Zp isintractable and let α ∈ Z∗

p be a primitive element. Let P = Z∗p, C =

Z∗p × Z∗

p, andK = {(p, α, a, β) : β ≡ αa mod p}.

The values of p, α and β are public and a is secrete.For K = (p, α, a, β) ∈ K and for a secret random number k ∈ Zp−1

defineeK(x, k) = (y1, y2),

where y1 = αk (mod p), y2 = xβk (mod p).For y1, y2 ∈ Z∗

p, define

dK(y1, y2) = y2(ya1)

−1 (mod p).

Figure 4.5: ElGamal Cryptosystem

dK(y1, y2) = y2(ya1)

−1

= xβk(αak)−1

≡ x (mod p)

The public key of ElGamal cryptosystem contains the values of p, α andβ, and the private key of the system is the value of a. Note that the ElGa-mal system is non-deterministic, since the ciphertext depends not only onplaintext and the public key, but also on the random number k. A plaintextmay have different ciphertexts, which is good for the security of the system.On the other hand, the length of a ciphertext is twice of the length of itsplaintext, which is not good for the network traffic.

When using the ElGamal system, the value of k should be kept in se-cret. Otherwise, x can be revealed from k and y2 by computing x = y2β

−k

(mod p).To implement the system, we need the following algorithms:

4.3. ELGAMAL CRYPTOSYSTEM 69

1. Find a large prime p such that p− 1 has at least a large prime factor.

2. Find a primitive element α of Zp.

3. Choose a random number k ∈ Zp−1.

4. Compute αk (mod p) and xβk (mod p).

5. Compute (yα1 )−1 (mod p).

We already have some method to find a large prime. So we can first finda large prime q. Then we try some random number r such that qr + 1 = pis a prime. To find a primitive element, we can choose a random α and letg = αr. If g ≡ 1 (mod p), then we use α in the ElGamal system. Otherwisetry another value of α. In fact, α is not necessary a primitive element of Z∗

p

by using this method. But it is guaranteed that α has a order not less thanq. To ensure that the α is a primitive element of Z∗

p, one needs to checkαtq ≡ 1 (mod p) for each factor t of r, where t = r. The other algorithmscan be obtained from the previous section.

It is easy to know that if we can solve the discrete logarithm problem,then the ElGamal system is broken.

Let’s see an example. Suppose p = 2579 and α = 2. α is a primitiveelement in Zp. Let a = 765, so

β = 2765 mod 2579 = 949.

Suppose Alice wants to send the message 1299 to Bob. She chooses a randomnumber k = 853. Then she computes

y1 = 2853 mod 2579 = 435,

andy2 = 1299× 949853 mod 2579 = 2396.

When Bob receives the ciphertext (435, 2396), he computes

x = 2396× (435765)−1 mod 2579 = 1299.

ElGamal system can be established in any cyclic group. In this section,we used Z∗

p, a cyclic group of order p− 1, for the system. In practice, othercyclic groups are used. For examples, for a prime p, Zpn , n a positive integerand Zq, q a prime factor of p− 1 are used for different systems.


4.4 Other Public-key Cryptosystems

There are other public-key cryptosystems. Most of them are based on thedifficulty of factoring problem or discrete logarithm problem. In this section,we just list a few examples briefly.

The Rabin Cryptosystem also uses a number n = pq, where p, q are largeprimes such that p, q ≡ 3 (mod 4). The encryption function is

eK(x) = x2 mod n

and the decryption function is

dK(y) =√y mod n.

The security of the Rabin system is based on some number theory facts.In general, to find the value

√y mod n is very difficult unless n is a prime.

However, if p and q are known, then there is some easy way to compute√y mod n for n = pq.There are some variant forms of RSA system. For examples, some peo-

ple suggested to use n = pqr, a production of three primes. Some peoplesuggested to use n = p2q, where p, q are primes, etc.

The Elliptic curve cryptosystem uses the idea from the ElGamal system.In the ElGamal system, each element in Z∗

p can be written as αi for some i.Z∗

p is a cyclic group generated by α. The Elliptic curve system uses a groupdifferent from Z∗

p. The system uses a group of the solutions of y2 ≡ x3+ax+b(mod p) instead of the group Z∗

p. Elliptic curve systems depend on moremathematics. The decryption in an Elliptic curve system is more efficientthan that in an RSA system.

Another interesting public-key system is NTRU which uses polynomialrings and depends on some problems in a mathematical structure called lat-tices. There is some relationship between factoring problem and discretelogarithm problem. However, lattice problem seems to be different fromthese problems.

4.5 Public-key Systems and Secret-key Sys-

tems

We should indicate here that in general a public key cryptosystem is muchslower than a secret key cryptosystem. For example, the RSA system is about

4.5. PUBLIC-KEY SYSTEMS AND SECRET-KEY SYSTEMS 71

1500 times slower than DES. So it is not practical to use public key systemfor large plaintext. Usually, we will use public key system to send a key ofsome secret key cryptosystem and then use the secret key cryptosystem toencrypt the plaintexts. So one of the important applications of public-keysystems is distribute secret keys, which we will discuss later.

We can use the following simple example to explain the combination ofa public-key system and a secret-key system. Suppose Bob has an RSAsystem. So he published his public key Kpub and stored his private key Kpri

in a secure place. Now Alice wants to communicate with Bob. She firstchooses a random key K for AES system. Then she send Bob the valueof eKpub

(K). Since only Bob has the key Kpri, he can obtain K securely.After that Alice and Bob can use AES with common key K to encrypt theircommunication.

For the security of a public key cryptosystem, we need to consider the cho-sen plaintext attacks. Since the encryption function is public in the system,Oscar can choose any plaintext and obtain the according ciphertext.

All the existing public key cryptosystems are based on some difficultmathematical problems. Usually we call such a system a computationalsecure cryptosystem, because we don’t know efficient algorithms to solvethese problems. If some efficient algorithm is invented in the future, then thesystem will be no longer secure.


Chapter 5

Information Authentication

Message authentication is one of the important security problems in networksecurity. Suppose Bob received some message from Alice over internet. Howcan he believe that the message is really sent by Alice? How can he be surethat the message has not been modified by Oscar? These are basic problemsfor information authentication.

Information authentication on a network needs new techniques and algo-rithms. In this chapter we discuss digital signature schemes, massage authen-tication and hash functions which are among most important authenticationtechniques.

5.1 Signature Schemes

Handwritten signatures are used to sign paper documents for a long history.However, for an electronic file, we cannot just put a name on the file sincethe name can be easily forged by other people. Note that if there are onlytwo parties Alice and Bob in the scheme and they share a common secretkey, then Alice can use the key to encrypt the whole file and Bob will knowthat the file is from Alice since only he and Alice know the key. However,Bob cannot know whether the cipher text is complete. Oscar might cut partof the cipher text and Bob still can decrypt the cipher text and get wronginformation. And in many cases, a signature needs to be checked by severalpeople. Also as we discussed before that it is not easy to distribute secretkeys.

The idea of public key system therefore is used for signatures. A signature

73

74 CHAPTER 5. INFORMATION AUTHENTICATION

scheme is used to create an electronic signature such that any other partycannot forge the signature while they can verify the truth of the signature.So a signature scheme consists of two components, a signing algorithm anda verification algorithm.

In a signature scheme when Alice wants to send Bob a message x, shewill send a pair (x, sig(x)) to Bob. Bob can check if sig(x) is correct anddecides to accept x or not. Oscar wants to construct a message (y, z) andhopes that Bob will accept the message y as sent by Alice.

We give a formal definition of signature scheme as follows.

Definition 5.1.1 A signature scheme is a five-tuple (P ,A,K,S,V), wherethe following conditions are satisfied:

1. P is a finite set of possible messages.

2. A is a finite set of possible signatures.


4. For each key K ∈ K, there is a signature algorithm sigK ∈ S and acorresponding verification algorithm verK ∈ V. Each sigK : P 7→ Aand verK : P×A 7→ {true, false} are functions such that the followingequation is satisfied for every message x ∈ P and for every signaturey ∈ A:

verK(x, y) =

{true if y = sigK(x)false if y = sigK(x).

In general, the key K ∈ K includes a pair of keys. One is a public key andthe other is a secret key. The security of a signature scheme requires that theverK() (the verification algorithm and the public key) is public known andfor any x ∈ P , it is difficult to forge a sigK(x) without knowing the secretkey.

RSA signature scheme

The RSA signature scheme is based on the RSA public-key system. Thescheme is described in Figure 5.1.

The RSA signature scheme actually uses the decryption function of theRSA as sigK and uses encryption function of RSA as verK . This is because

5.1. SIGNATURE SCHEMES 75

Let n = pq, where p and q are primes. Let P = A = Zn and

K = {(n, p, q, a, b) : n = pq, p, q prime, ab ≡ 1 (mod ϕ(n))}.

The values n and b are public and the values of p, q, a are secret.For K = (n, p, q, a, b), define

sigK(x) = xa mod n

andverK(x, y) = true⇔ x ≡ yb (mod n)

(x, y ∈ Zn).

Figure 5.1: RSA Signature Scheme

the encryption and decryption functions of the RSA is “symmetric”. It iseasy to prove the correctness of the RSA signature scheme.

Now we consider some possible attacks for a signature scheme. The se-curity of a signature scheme is based on how to prevent against forging asignature. For the RAS signature scheme, Oscar might forge Alice’s signa-ture as follows. Since verK is public, Oscar can compute x = verK(y) = yb

(mod n) for some value of y and send (x, y) to Bob. In that case, Bob willaccept the signature as Alice’s signature since the verification algorithm willoutput true. However, it is difficult for Oscar to choose the value of y suchthat x = yb (mod n) is meaningful. In fact, for given x, b, n, it is difficultto find y such that x = yb (mod n). Therefore that kind of attacks is notvery useful. However, this attack tells us that signing a random string byRSA system is meaningless. Another possible attack comes from a propertyof RSA signature scheme that sigK(x) · sigK(y) = sigK(xy). So if Oscar ob-served (x, sigK(x)) and (y, sigK(y)), he can then sends (xy, sigK(x) ·sigK(y))to Bob and Bob will accept it if xy is meaningful.

For a signature scheme, Oscar can always use the following attack. Oscarrequests Alice to sign several messages (x1, y1), (x2, y2), · · · , (xt, yt), where


yi = sigK(xi), i = 1, 2, · · · , t. Then Oscar sends a subset of the pairs(xj1 , yj1), (xj2 , yj2), · · · , (xjs , yjs) to Bob. Bob will accept the message sincethe verification algorithm will always output true. By choosing the valuesof xj1 , xj2 , · · · , xjs , Oscar can send some wrong information to Bob and Bobwill think that the information is from Alice. To avoid that kind of attacks,one method is to use hash functions or MAC which we will discuss in thenext section. Another method we can use is to encrypt the messages xi.

Note that the message x is not encrypted in the signature scheme. Tokeep the message secret, we have to encrypt x. In this case, we recommendsigning message x before encryption to avoid a possible attack from Oscar.In fact, suppose Alice first encrypts the message x to get the ciphertext yand then signs y using her scheme: z = sigAlice(y). (y, z) is then sent to Bob.If Oscar obtains the pair (y, z) in the middle way, then he can change z withz′ = sigOscar(y) and transmit (y, z′) to Bob. Bob may verify the messageand think that the plaintext x originated with Oscar. So usually Alice willencrypt the pair (x, sigAlice(x)) and sends the cipher text to Bob. When Bobreceives the cipher text, he first decrypts it to obtain the pair (x, sigAlice(x)),then verifies the signature.

ElGamal signature scheme

The ElGamal signature scheme is also widely used, which is described inFigure 5.2. The security of this signature scheme is based on the difficultyof discrete logarithm problem.

The correctness of ElGamal signature scheme can be proved as follows.

βγγδ ≡ αaγαkδ

= αaγ+kδ

≡ αx (mod p),

where we use the fact that

aγ + kδ ≡ x (mod p− 1)

and henceαaγ+kδ ≡ αx (mod p).

Similar to ElGamal public-key encryption, the random value of k shouldbe kept in secret. If Oscar knows k, then he can find the secret key a easily:

a = (x− kδ)γ−1 (mod p− 1).


Let p be a prime such that the discrete logarithm problem in Zp isintractable and let α ∈ Z∗

p be a primitive element. Let P = Z∗p,A =

Z∗p × Zp−1, and define

K = {(p, α, a, β) : β ≡ αa mod p}.

The values of p, α and β are public and a is secret.For K = (p, α, a, β) ∈ K and for a secret random number k ∈ Z∗

p−1

definesigK(x, k) = (γ, δ),

where γ = αk (mod p) and

δ = (x− aγ)k−1 (mod p− 1).

For x, γ ∈ Z∗p and δ ∈ Zp−1, define

verK(x, γ, δ) = true ⇔ βγγδ ≡ αx (mod p).

Figure 5.2: ElGamal signature scheme

Moreover, we cannot use a same k to sign two different messages. If k is usedto sign two different messages x1 and x2, then Oscar knows

βγγδ1 ≡ αx1 (mod p)

andβγγδ2 ≡ αx2 (mod p).

So he can compute

αx1−x2 ≡ γδ1−δ2

≡ αk(δ1−δ2) (mod p).

Thereforex1 − x2 ≡ k(δ1 − δ2) (mod p− 1).


In this way, Oscar can find k by using some knowledge of number theory andthen find the secret key a.

Another attack Oscar can perform is similar to an attack to RSA signaturescheme discussed before. Oscar selects two numbers u, v such that gcd(v, p−1) = 1. Let

γ = αuβv (mod p), δ = −γv−1 (mod p− 1).

Then it is easy to check that (γ, δ) is a valid signature of x = uδ, sinceβγγδ ≡ αuδ. Although, it is difficult for Oscar to find a useful value of x.

Digital Signature Standard

The Digital Signature Standard (or DSS) was published in 1994, which wasmodified from ElGamal signature scheme (FIPS PUB 186). We describe theDSS in Figure 5.3.

The most important modification of DSS from ElGamal signature schemeis the use of Zq, a subgroup of Z∗

p. In this way, the length of signature isreduced to 320 bits (while that is at least 1024 bits t in ElGamal signaturescheme). On the other hand, the main computations are still in 512-bitmodulo as same as that in ElGamal scheme.

Let us use a small example to illustrate the DSS.

Example 5.1.2 Let q = 29 and p = 29 · 8 + 1 = 233. Let h = 3 so

α = 38 = 6561 ≡ 37 (mod 233).

Therefore P = Z∗233,A = Z29 × Z29. Let a = 2 and

β = αa = 372 ≡ 204 mod 223.

p, q, α, β are public and a = 2 is secret.Suppose the plaintext x = 10. Let the random number k = 4 (1 ≤ k ≤

28). Then the signature sigK(10, 4) = (γ, δ), where

γ = (374 mod 233) mod 29

≡ (2042 mod 233) mod 29

≡ 142 mod 29

= 26


Let p be a prime number such that 2L−1 < p < 2L for 512 ≤ L ≤ 1024and L a multiple of 64, and let q be a 160-bit prime that divides p− 1.Let α = h(p−1)/q (mod p), where h is any integer with 1 < h < p − 1such that h(p−1)/q (mod p) > 1. Let P = Z∗

p,A = Zq × Zq, and define

K = {(p, q, α, a, β) : β ≡ αa mod p}.

The values of p, q, α and β are public and a is secret.For K = (p, q, α, a, β) ∈ K and for a secret random number k, 1 ≤ k ≤q − 1, define

sigK(x, k) = (γ, δ),

whereγ = (αk mod p) mod q

andδ = (x+ aγ)k−1 mod q.

For x ∈ Z∗p and γ, δ ∈ Zq, verification is done by performing the follow-

ing computations:

e1 = xδ−1 mod q

e2 = γδ−1 mod q

andverK(x, γ, δ) = true ⇔ (αe1βe2 mod p) mod q = γ.

Figure 5.3: Digital Signature Standard


and

δ ≡ (10 + 2 · 26) · 4−1 mod 29

≡ 4 · 4−1 mod 29

= 1.

So for x = 10, the signature is (26, 1).To compute verK(x, γ, δ) = verK(10, 26, 1), we have

e1 ≡ 10 · 1−1 mod 29 = 10

e2 ≡ 26 · 1−1 mod 29 = 26

and

(3710 · 20426 mod 233) mod 29 ≡ (74 · 46 mod 233) mod 29

≡ 142 mod 29

= 26

= γ

So the verification algorithm will output true.

There are other signature schemes. Basically, from a public key cryp-tosystem, we can find a signature scheme. One widely used signature schemeis Elliptic Curve Digital Signature Algorithm (ECDSA) which is approvedas FIPS 186-2 in 2000.

5.2 Message Authentication and Hash Func-

tions

A signature scheme can only be used to sign a short message. As we men-tioned in previous section, if a key is used to sign several messages, then Oscarmight select and rearrange the messages to cheat Alice. Another problem isthat the size of the signature is equal to or larger than the message thatwill cause traffic problem for a network. Therefore we need some method toauthenticate long messages. There are basically two methods to authenti-cate messages. One method uses hash functions and signature schemes. An

5.2. MESSAGE AUTHENTICATION AND HASH FUNCTIONS 81

alternative authentication technique involves the use of a secret key calledmessage authentication code (or MAC).

Suppose Alice and Bob shared a common secret key K. We need somefunction CK(x) which depends on the secret key K. We also hope that theinput x of the function can be very large but the output of the function issmall. When Alice wants to send a message x to bob, she first computesCK(x) and then sends (x,CK(x)) to Bob. Usually, the size of CK(x) is muchsmaller than x. Since Bob knows K, he can compute y = CK(x) after hereceived x and check whether y is the same value of CK(x) he received. Theformal definition of a MAC is as follows.

Definition 5.2.1 A MAC is a four-tuple (P ,A,K,H), where the followingconditions are satisfied:

1. P is a set of possible messages.

2. A is a finite set of possible authentication tags.


4. For any K ∈ K and C ∈ H, CK : P 7→ A.

Note that in the above definition, the set P can be a infinite set. AMAC function CK() is similar to an encryption function, but it needs not bereversible (do not need to decrypt). This property makes it possible that thesize of CK(x) is much smaller than that of x.

A MAC function is not a signature. Since both Alice and Bob know thesecret key, they can forge the signature each other. On the other hand, onlyBob can verify the correctness of the message in this case while every onecan do the verification in signature scheme.

A MAC function should have the property: If Oscar knows x and CK(x),it should be computational infeasible to construct a message x′ such thatCK(x

′) = CK(x). This is called collision-free property. We will discusscollision-free property a little bit later when we consider hash functions.

As an example of MAC, we describe the Data Authentication Algorithmwhich is based on DES (FIPS PUB 113). Suppose the message is x. Firstwe divide the message into groups of 64-bit blocks: x = x1x2 · · · xN where xi

is 64-bit string, 1 ≤ i ≤ N . The algorithm is similar to the CBC mode of


DES. Suppose eK is the DES encryption with the secret key K. Let

O1 = eK(x1)

O2 = eK(x2 ⊕O1)

O3 = eK(x3 ⊕O2)...

ON = eK(xN ⊕ON−1).

Then ON is the result of the MAC, i.e., CK(x) = ON .The length of the input message of this MAC function can be anything

bigger than 64 bits (with some padding bits if necessary). The output of thefunction is always 64-bit.

Another common technique used in authentication is applying hash func-tions. We already noted that a signature scheme is not convenient for signinga large message. If we break the message into chunks first and then sign eachpiece of the chunks, Oscar might remove some chunks from the sequence andthus change the message. Hash functions can be used to prevent against suchattacks.

Definition 5.2.2 A hash family is a triple (P ,D,H), where the followingconditions are satisfied:

1. P is a set of possible messages.

2. D is a finite set of possible message digests.

3. For any h ∈ H, h : P 7→ D.

A hash function will take a message of arbitrary length and produce amessage digest of a specified size (for example, 160-bit). A hash functiondoes not use any keys. So anyone can compute a hash value provided thehash algorithm is public. One method using a hash function to authenticatea message is as follows. For a large message x, we can first use a hashfunction h() to get a digest: z = h(x). Then the digest is signed usingsome signature scheme: γ = sigK(z). The pair (x, γ) is the signed message.Since hash function is published, anyone can compute z from x and checkthe correctness of the signature.

A MAC function or a hash function h should satisfy some properties forthe security reasons. The following properties can be considered.


• Weakly collision-free: Given a message x, it is computationally infea-sible to find a message x′ = x such that h(x′) = h(x). This propertycan be used to prevent Oscar from forging a signature (Oscar sends(x′, sig(h(x)) to Bob and Bob believes x′).

• One-way property: Given a message digest z, it is computationallyinfeasible to find a message x such that h(x) = z. Since to forge asignature of a random value is easier than a signature of a meaningfulmessage, this property can used to prevent forging a signature.

• Strong collision-free: It is computationally infeasible to find messagesx and x′ such that h(x′) = h(x).

It can be proved that strong collision-free implies one-way property andweak collision property.

The main difference between a MAC and a hash function is that a hashfunction does not use a secret key. Since to establish a secret key throughinternet is not easy, hash function has some advantages.

We can use a block cipher to construct a hash function as follows. Supposethe encryption function is eK() and the message is x. Write the message asblocks of fixed size: x = x1x2 · · · xN . Then we use each block as a key ofencryption. First let h0 be some initial value. Then compute

h1 = ex1(h0)

h2 = ex2(h1)...

hN = exN(hN−1).

Define h(x) = hN . This method is called a block chaining technique. How-ever, this method is not secure. There are some methods to attack thefunction. There are several ways to improve the security of the function. Forexample, let

hi = ehi−1(xi)⊕ xi ⊕ hi−1.

A hash function created by a block chaining technique and a block ci-pher is not very efficient. A block cipher is usually very complicated andthe encryption takes time. So researchers tried to find more efficient hashfunctions.


Since the input of the hash function is large and the output is small, ahash function is many-to-one, or even infinite-to-one function. In general,to construct a collision resistance hash function (strong collision free) is noteasy.

MD5

MD5 (Message Digest, RFC 1321) is one of the common used hash functions,which was developed by Rivest. MD5 can be described as follows.

• The first step of MD5 is appending some padding bits to the messageso that it is congruent to 448 modulo 512. Padding is always added,even if the message is already 448 modulo 512. The size of paddingbits is between 1 to 512. The padding starts with a bit 1 followed bydesired number of bit 0’s.

• Then a 64-bit representation of the length in bits of the original messageis appended. If the length of the message is more than 264, then usethe length modulo 264. In this way, the message becomes an integermultiple of 512 bits in length.

• A 128-bit buffer (four 32-bit registers) is used to hold intermediate andfinal results of the hash function. The buffer is initialized to four 32-bitintegers.

• Then each 512-bit block of the message is processed to a compressionfunction which consists of four rounds of hashing. All the operations inthe compression function are very efficient. Basically, the function usesbitwise “and”, “or”, “XOR”, complement, circular left shift and integeraddition modulo 232. The function also uses a table of values fromsine function (abs(sin(i))). The four rounds have a similar structure,but each uses a different primitive logical function. In each round, byinputting the current 512-bit block and the 128-bit buffer value, thecontents of the buffer is updated. Each round consists of 16 steps. Theoutput of the fourth round is added to the input to the first round.The addition is done for four words using modulo 232.

• The output of MD5 is 128-bit digest.

MD5 is modified from MD4 which used three rounds.


SHA

The secure hash algorithm (SHA) was developed by the NIST, along withNSA. A revised version referred as SHA-1 was published in 1995 (FIPS PUB180-1). SHA-1 is also derived from MD4 and quite similar to MD5. However,the input of SHA-1 is a message of any length < 264 bits and the output isa 160-bit message digest. The Secure Hash Standard (SHS) suggested useSHA-1 to produce a message digest and then use Digital Signature Standard(specified in DSS).

SHA-1 uses a similar method as in MD5 to append some padding bits tothe message and a 64-bit integer indicating the length of the original message,so that the message can be written as M1M2 · · ·Mn, each Mi is a 16 words(512 bits). Since the digest of SHA-1 is 160 bits, a 160-bit buffer is used (five32-bit registers).

A sequence of logical functions f0, f1, ..., f79 is used in the SHA-1. Eachft, 0 ≤ t ≤ 79, operates on three 32-bit words B,C,D and produces a 32-bitword as output.

SHA-1 uses the following operations:

X ∧ Y bitwise “and ” of X and YX ∨ Y bitwise “or ” of X and YX ⊕ Y bitwise “XOR” of X and Y¬X bitwise complement of XX + Y integer addition modulo 232

St(X) circular left shift of X by t positions

A function ft(B,C,D) is defined as follows: for words B,C,D,

ft(B,C,D) = (B ∧ C) ∨ ((¬B) ∧D), (0 ≤ t ≤ 19)

ft(B,C,D) = B ⊕ C ⊕D, (20 ≤ t ≤ 39)

ft(B,C,D) = (B ∧ C) ∨ (B ∧D) ∨ (C ∧D), (40 ≤ t ≤ 59)

ft(B,C,D) = B ⊕ C ⊕D, (60 ≤ t ≤ 79).

A sequence of constant words K0, K1, · · · , K79 is used in the SHA-1. Inhex these are given by

Kt = 5A827999, (0 ≤ t ≤ 19)


Kt = 6ED9EBA1, (20 ≤ t ≤ 39)

Kt = 8F1BBCDC, (40 ≤ t ≤ 59)

Kt = CA62C1D6, (60 ≤ t ≤ 79).

The message digest is computed using the final padded message. Thecomputation uses two buffers, each consisting of five 32-bit words, and asequence of eighty 32-bit words. The words of the first 5-word buffer arelabelled A,B,C,D,E. The words of the second 5-word buffer are labelledH0, H1, H2, H3, H4. The words of the 80-word sequence are labelledW0,W1, ...,W79. A single word buffer TEMP is also employed.

To generate the message digest, the 16-word blocks M1,M2, ...,Mn areprocessed in order. The processing of each Mi involves 80 steps.

Before processing any blocks, the Hi are initialized as follows: in hex,

H0 = 67452301

H1 = EFCDAB89

H2 = 98BADCFE

H3 = 10325476

H4 = C3D2E1F0.

Now M1,M2, ...,Mn are processed. To process Mi, we proceed as follows:

• Divide Mi into 16 words W0,W1, · · · ,W15, where W0 is the left-mostword.

• For t = 16 to 79 let Wt = S1(Wt−3 ⊕Wt−8 ⊕Wt−14 ⊕Wt−16).

• Let A = H0, B = H1, C = H2, D = H3, E = H4.

• For t = 0 to 79 do

TEMP = S5(A) + ft(B,C,D) + E +Wt +Kt;

E = D;

D = C;

C = S30(B);

B = A;

A = TEMP ;


• LetH0 = H0+A,H1 = H1+B,H2 = H2+C,H3 = H3+D,H4 = H4+E.

After processing Mn, the message digest is the 160-bit string represented bythe 5 words

H0H1H2H3H4.

In 2001, NIST announced that a draft version of FIPS 180-2 was availablefor public comments and review. This proposed standard includes SHA-1 aswell as three new hash functions, which are named SHA-256, SHA-384 andSHA-512. The suffixes “256”, “384” and “512” refer to the sizes of themessage digests. In 2002, NIST added SHA-224 into FIPS 180-2.

It is not difficult to see that the longer of the size of digest the securer thehash function. For example, if the message digest is of 64 bits, then we canalways find a collision from any 264 + 1 different messages. However, thereis a more efficient attack called birthday attack. The name of the attack isfrom the birthday paradox: The probability that at least 2 people in a roomof 23 people have the same birthday is more than 0.5 (≈ 0.507). In general,it can be proved that if a random variable that is an integer with uniformdistribution between 1 and n, then more than 1.18

√n random values will

have a collision with probability 0.5.For a hash function with m-bit message digest, Oscar can perform the

following birthday attack.

1. Oscar generates 2m/2 variations of a message and computes messagedigests of these variations. These data are recorded in a list L sortedby the message digests.

2. Oscar generates variations of another fault message. For each variation,he computes its digest and tries to find a same digest in the list L.

3. If Oscar finds the same message digest for two different messages, thenhe can substitute one message with other one using the same hashvalue.

It is easy to generate variations of a message by a computer. One canjust add some not significant codes, such as space, backspace, enter etc., tothe message. The probability of success is more than 0.5, if the number ofvariations in step 2 is 2m/2.

Under birthday attack, we can find a collision by 264 inputs for MD5 and280 inputs for SHA-1. Recently, MD5 and subsequently SHA-1 have been


broken. Here “broken” means that some algorithms can be used to find acollision by less inputs. In 2004, a group of researchers reported that theyfind an algorithm which can find a collision using 269 inputs. On February28, 2005, NIST published a comment on that attack. The comment indicatedthat “Due to advances in computing power, NIST already planed to phaseour SHA-1 in favor of the larger and stronger hash functions (SHA-224,SHA-256, SHA-384 and SHA-512) by 2010. New developments should usethe larger and stronger hash functions.”

HMAC

A hash function was not designed for use as a MAC and cannot be useddirectly for that purpose because it does not use a secret key. To incorpo-rate a secret key into an existing hash algorithm, people considered HMAC(keyed-hash authentication code). HMAC was issued as RFC 2104 and wasgeneralized as an FIPS PUB 198 in March, 2002. HMAC is used in combina-tion with a FIPS proved cryptographic hash function and a secret key. Thealgorithm can be described as follows:

MAC(x)t = HMAC(K,x)t = h((K0 ⊕ opad||h((K0 ⊕ ipad)||x))t

where x is the message, h is some FIPS proved hash function, K is a secretkey. K0 is modified from K to fit the hash function. ipad and opad are innerpad and outer pad. And || is the concatenation operation. The output is theleftmost t bytes.

The HMAC Algorithm can be described step by step as follows.

1. If the length ofK = B (the block size of the input to the hash function):set K0 = K. Go to step 4.

2. If the length of K > B: apply hash function to K to obtain L (blocksize of output of the hash function) bytes string, then append (B −L)zeros to create a B-byte string K0. Go to step 4.

3. If the length of K < B: append zeros to the end of K to create aB-byte string K0.

4. Exclusive-Or K0 with ipad to produce a B-byte string: Ko ⊕ ipad,where ipad is the byte 36 (hexadecimal notation) repeated B times.

5.3. KEY DISTRIBUTION 89

5. Append the stream of data x to the string resulting from step 4: (K0⊕ipad)||x.

6. Apply h to the stream generated in step 5: h((K0 ⊕ ipad)||x).

7. Exclusive-Or K0 with opad: K0 ⊕ opad, where opad is the byte 5c(hexadecimal notation)repeated B times.

8. Append the result from step 6 to step 7: (K0⊕opad)||h((K0⊕ipad)||x).

9. Apply h to the result from step 8: h(K0 ⊕ opad)||h((K0 ⊕ ipad)||x).

10. Select the leftmost t bytes of the result of step 9 as the MAC.

If the same key is used for authentication of several messages, then thevalues of K0 ⊕ ipad and K0 ⊕ opad can be stored some where for reuse.

Note that in HMAC (or MAC) the output should be large enough. In gen-eral, the probability of an HMAC verification algorithm to accept a randomdigest of t-bit is (1/2)t. The limitation is magnified if a verification algorithmpermits different digests of a same message to be repeatedly presented forverification or permits a digest to be presented with different messages forverification. Therefore, if the output of the hash function in an HMAC istruncated, then the length t should be chosen as large as in practical with atleast half as many bits as the output.

Although many hash functions, including MD5 and SHA-1, have beenattacked successfully, these attacks will not effect the security of an HMAC.

5.3 Key Distribution

Since a public-key system is usually much slower than a private-key system,we need some method to distribute secret keys. In fact, the idea of a publickey system is first considered for key exchange protocol by Diffie and Hellman.We will introduce some key distribution methods in this subsection.

For the security reason, a secret key cannot be used for a long time.In practice, we usually use session keys. A session key is used for limitedtime which enhances the security of the key. Since session keys needs refreshfrequently, it is important to develop method to distribute session keys.


On July 6, 2005 NIST published a Draft Special Publication 800-56, “Rec-ommendation for Pair-Wise Key Establishment Schemes Using Discrete Log-arithm Cryptography”. In this section, we discuss some basic key establish-ment schemes based on discrete logarithm problem.

Diffie-Hellman key exchange

The Diffie-Hellman key exchange algorithm is used for two parties to ex-change a key. This algorithm was invented in 1976, which is based on discretelogarithm problem.

The Diffie-Hellman key exchange algorithm is described in Figure 5.4.

Let p be a prime such that the logarithm problem in Zp is infeasible. Letα be a primitive element of Zp. Then Alice and Bob do the following.

1. Alice chooses xA ∈ Z∗p. Then she computes and sends Bob yA =

αxA mod p.

2. Bob chooses xB ∈ Z∗p. Then he computes and sends Alice yB =

αxB mod p.

3. The common key of Alice and Bob is

K = yxAB mod p = yxB

A mod p

Figure 5.4: Diffie-Hellman Key Exchange Algorithm

The Diffie-Hellman algorithm is simple and the secret keys are createdonly when needed. However, there are some weaknesses which Oscar can useto attack the protocol. One attack is called man-in-the-middle attack. Inthis attack, Oscar impersonates Bob while communicating with Alice andimpersonates Alice while communicating with Bob. To do that, he sendsAlice and Bob a public value αxO using Bob’s ID and Alice’s ID, respectively.Then two common keys are created: K1 = αxAxO is between Alice and Oscar,

5.3. KEY DISTRIBUTION 91

and K2 = αxOxB is between Bob and Oscar. However, Alice and Bob thinkthey have established a common key.

Another kind of attack Oscar can do is sending Bob a lot of randomnumbers as his public value yO. Then Bob has to do a lot of computations ofexponentiation which wastes considerable computing resources. This attackis sometimes called clogging attack.

The above two attacks actually based on the fact that the informationexchanged in the protocol are not authenticated.

Oakley key exchange

The Oakley Key Determination Protocol is a refinement of the Diffie-Hellmankey exchange algorithm. Oakley uses cookie exchange which requires eachparty send a pseudorandom number in initial message and use the cookiein the subsequent communications. Cookies are used to thwart cloggingattacks. Usually, a cookie is a hash value of the IP addresses of the sourceand destination, the UDP or TCP ports and some local secret value. Theprotocol requires user ID and data authentication to against man-in-the-middle attack. When cookies are used, Oscar may use a replay attack asfollows. He just send the old message again and again. So the protocol alsouses nonce (pseudorandom numbers) in each message exchange to ensureagainst replay attacks.

The Oakley specification includes a number of examples of key exchange.One example is called aggressive key exchange which only has three mes-sage exchanges. Let I be the initiator and R be the receiver. The messageexchanges are as follows.

• I sends a cookie, the group to be used (value of (Zp, α)), the valueof yI = αxI mod p, I’s nonce, I’s identifier and R’s identifier. I alsoindicates the public key encryption, hash and authentication algorithmsto be used in this exchange. Then I appends a signature that signs thetwo identifiers, the nonce, (p, α), yI , and the offered algorithms.

• R verifies I’s signature. Then R echoing back I’s cookie, identifier,nonce and (p, α). R also includes in the message a cookie, yR =αxR mod p, the selected algorithms (which must be among the offeredalgorithms), R’s identifier, and R’s nonce. R appends a signature thatsigns the two identifiers, the two nonces, p, α, yI , yR, and the selectedalgorithms.


• I verifies R’s signature. The nonce values in the message assure thatthis is not a replay of an old message. To complete the exchange, I senda message back to R to verify that I has received R’s message. Thismessage contains two cookies, (p, α), yI , two identifiers, two nonces theselected algorithms and a signature of the information.

The detailed message exchanges is described in Figure 5.5.

I → R: CKYI , KTP,GRP, αxI , EHAO,NIDP, IDI , IDR, NI ,sigI(IDI ||IDR||NI ||GRP ||αxI ||EHAO)

R→ I: CKYR, CKYI , KTP,GRP, αxR , EHAS,NIDP, IDR, IDI , NR,NI , sigR(IDR||IDI ||NR||NI ||GRP ||αxR ||αxI ||EHAS)

I → R: CKYI , CKYR, KTP,GRP, αxI , EHAS,NIDP, IDI , IDR, NI ,NR, sigI(IDI ||IDR||NI ||NR||GRP ||αxI ||αxR ||EHAS)

Notation:CKYI : I’s cookieKTP : Key exchange message typeGRP : Name of Diffie-Hellman group

EHAO,EHAS: Encryption, hash, authentication, offered and selectedNIDP : Indicates encryption is not used for the remainders

NI : Nonce of I.

Figure 5.5: Aggressive Oakley Key Exchange

In the above key exchange, the main parts of each message is signed bysignature schemes. In this way, Oscar cannot forge Alice’s message. However,in this case, Bob must be sure that he knows Alice’s public key which is notfaked by Oscar. We will discuss how to certificate a public key later.

Kerberos

The Diffie-Hellman algorithm and Oakley key exchange are for two partiesto exchange a secret key.

In a network we need other key distribution service. We mentioned thatto reduce the number of total keys in a network, it is desirable that there

5.4. PUBLIC KEY INFRASTRUCTURE 93

is a key distribution center (KDC) and that session keys are used. To useKDC and session keys, we need some special key services. The Kerberos isa popular key serving system developed by MIT. In the Kerberos system,there is an Authentication server (AS). Each user U on the net shares asecret DES key KU with AS (For example, a key created from password).When two users U and V need to communicate each other (here V might besome network server), they request a session key. The Kerberos is used totransmit a session key. A simplified version of the Kerberos can be describedas follows.

1. U asked AS for a session key to communicate with V : U sends IDU , TS1

to AS, where IDU is user U ’s identifier and TS1 is time which is usedto check the time synchronization.

2. AS chooses a random key K, a time stamp T (also called a ticket),and a lifetime L (lifetime for the session key). So that the sessionkey will be valid from time T to T + L. Then AS sends U : m1 =eKU

(K||IDV ||T ||L) and m2 = eKV(K||IDU ||T ||L).

3. U decrypts m1 to obtain K,T, L and IDV . Then U computes

m3 = eK(IDU ||T ) and sends V the value of m2 and m3.

4. V decrypts m2 and obtains K, IDU , T and L. Then V can computes Tand IDV from m3. V checks whether the two values of T and the twovalues of IDU are the same. If so, V computes m4 = eK(T + 1) andsends m4 to U .

5. U decrypts m4 and verifies the correctness of T + 1.

If everything is correct, then U and V use K as a session key.The above description of Kerberos is based on version 4. Version 5 of

Kerberos is specified in RFC 1510. Version 5 has several improvements sothat the protocol is more flexible and more secure. The latest version isKerberos 5 release 1.4.3.

5.4 Public Key Infrastructure

Kerberos uses conventional cryptosystem. So we still need to establish secretkeys in the beginning of the protocol. An alternative method is to use public-key systems. Using a public key system, Bob can publish his public key


and let Alice to use that key to encryption or verification of his signature.However, how can Alice be sure that the key published is not impersonatedby Oscar? That means that a public key should be authenticated. Thegeneral solution is to use a public key infrastructure (PKI).

The basic idea of PKI is to let users know which public key belongs towhom. In PKI, there is a Certificate Authority (CA). The CA can certificatethe users public keys. However, if we look at the details of PKI, then we willfind there are a lot of security problems to be considered. And it seems thereis no ideal solution for PKI.

The tern PKI can be very confusing, even to a technologist, becauseit is used for several different things. The PKI may mean the methods,technologies and techniques that together provide a secure infrastructure.But in some cases, the PKI may just mean the use of a public key andprivate key pair for authentication and proof of content. People use differentdefinitions for PKI. In general, the PKI means using public cryptosystemto protect electronic communications and electronic files for authentication,message integrity access control, identity verification, nonrepudiation, etc.We have already seen many issues about public key systems. The mainuncertain problem is how to certificate the public key.

NIST developed a document called “The Certificate Issuing and Manage-ment Components Protection Profile” (version 1.0) in 2001. This documentspecifies the functional and assurance security requirements for a CIMC.The intent of this family of Protection Profiles is to ensure specification ofthe complete set of requirements for a CIMC and not the specification ofa subset of requirements implemented in a specific CIMC subcomponent.It includes all the technical features of a CIMC, regardless of which CIMCsubcomponent performs the function. The document does not differentiatebetween functions that are typically performed by a CA and functions thatare typically performed by a RA (Registration Authorities).

Figure 5.6 displays an example of PKI. In this example, there are 3 CIMCswith different structures and hierarchies. One CIMC contains several regis-tration authorities, other CIMC contains a OCSP (Online Certificate StatusProtocol) server. There are two repositories to distribute certificates andcertificate revocation lists (CRLs).

NIST’s PKI and S/MIME programs have been merged, reflecting NIST’sincreased attention to PKI-aware applications. Secure mail is a priorityapplication for nearly every organization, whether in the private sector orgovernment. We will discuss S/MIME later. NIST is also pursuing XML

5.4. PUBLIC KEY INFRASTRUCTURE 95

and CRLCertificate

CA−3

CA−2

CA−1

Repository

CIMC boundary

Status information

Certificate or revocation request

Certificates

AuthorityRegistration

AuthorityRegistration

ServerOCSP

PKI Users

ServerOCSP

Repository

Certificateand CRL

Figure 5.6: A PKI with three CAs


digital signatures using PKI to verify the identity of the signer, based on theIETF/W3C draft specifications.

There are many groups in the world working on PKI and different PKIprofiles are developed. Here we give a brief introduction of internet X. 509public key infrastructure. X.509 defines a framework for the provision of au-thentication services. An important part of the X.509 scheme is the public-key certificate associated with each user. The scheme assumes CA who cre-ates user certificates and places certificates in the directory. X.509 definescertificate format, certification paths and trust, certificate revocation list,authentication procedures, etc.

All X.509 certificates have the following data, in addition to the signature:Version: This identifies which version of the X.509 standard applies to

this certificate, which affects what information can be specified in it. Thusfar, three versions are defined. ( A software keytool is a java based toolwhich can import and export v1, v2, and v3 certificates. It generates v1certificates.)

Serial Number: The entity that created the certificate is responsible forassigning it a serial number to distinguish it from other certificates it issues.This information is used in numerous ways, for example when a certificate isrevoked its serial number is placed in a Certificate Revocation List (CRL).

Signature Algorithm Identifier: This identifies the algorithm used bythe CA to sign the certificate.

Issuer Name: The X.500 Distinguished Name of the entity that signedthe certificate. This is normally a CA. Using this certificate implies trustingthe entity that signed this certificate. (Note that in some cases, such as rootor top-level CA certificates, the issuer signs its own certificate.)

Validity Period: Each certificate is valid only for a limited amount oftime. This period is described by a start date and time and an end date andtime, and can be as short as a few seconds or almost as long as a century. Thevalidity period chosen depends on a number of factors, such as the strengthof the private key used to sign the certificate or the amount one is willing topay for a certificate. This is the expected period that entities can rely on thepublic value, if the associated private key has not been compromised.

Subject Name: The name of the entity whose public key the certificateidentifies. This name uses the X.500 standard, so it is intended to be uniqueacross the Internet. This is the X.500 Distinguished Name (DN) of the entity,for example,

CN=Java Duke, OU=Java Software Division, O=Sun Microsystems Inc,

5.5. QUANTUM TECHNIQUES IN CRYPTOGRAPHY 97

C=US(These refer to the subject’s Common Name, Organizational Unit, Orga-

nization, and Country.)Subject Public Key Information: This is the public key of the en-

tity being named, together with an algorithm identifier which specifies whichpublic key cryptosystem this key belongs to and any associated key param-eters.

X.509 certificates are used in SSL protocol, IPSec, S/MIME, SET, thatwe will discuss later.

Another type of certificate of public keys is PGP.

5.5 Quantum Techniques in Cryptography

Quantum computing is a new area of research which is difficult for non-physicists to fully understanding. However, some quantum techniques arevery important to cryptography systems. In this section, we will give somevery brief explanation of some quantum techniques that are used for cryp-tography.

Quantum mechanics is a particle-level physics. We need particles thatwe are able to observe. Photons are the particles that make up light andare therefore observable. Light is an example of an electromagnetic wave,meaning that it consists of an electric field that travels orthogonally to acorresponding magnetic field. Therefore we can define the concept of polar-ization of light.

We will represent a photon’s polarization by a unit vector in the twodimensional complex vector space. This vector space has a dot productgiven by (a, b) · (c, d) = ac+bd, where c and d denote the complex conjugatesof c and d. The square of the length of vector (a, b) is then (a, b) · (a, b) =|a|2+ |b|2. Choose a basis for this vector space, which we will denote | ↑⟩ and| →⟩. We can think of | ↑⟩ as being the vertical direction and | →⟩ as beinghorizontal. So an arbitrary polarization may be represented as a| ↑⟩+ b| →⟩,where a and b are complex numbers. Since we are working with unit vectors,|a|2+ |b|2 = 1. We could also chosen a different orthogonal basis, for exampleone corresponding to a 45◦ rotation: | ↖⟩ and | ↗⟩.

The Polaroid filters perform a measurement of the polarity of the photon.There are two possible outcomes: either the photon is aligned with the filter,or it is perpendicular to the direction of the filter. If the vector a| ↑⟩+ b| →⟩


is measured by a vertical filter, then the probability that the photon hasvertical polarity after passing through the filter is |a|2. The probability thatit will have horizontal polarity is |b|2.

Similarly, suppose we measure a vertically aligned photon with respect toa 45◦ filter. Since

| ↑⟩ = 1√2| ↗⟩+ 1√

2| ↖⟩,

the probability that the photon passes through the filter (it is measured asbeing aligned at 45◦) is (1/

√2)2 = 1/2. Similarly, the probability that it does

not pass through the filter is also 1/2. One important property of quantummechanics is that such a measurement forces the photon into a definite state.Therefore after being measured, the state of the photon will be changed tothe result of the measurement. For example, if we measured the state ofa| ↑⟩ + b| →⟩ as | →⟩, then the photon will have the state | →⟩. If we thenmeasure with a | ↑⟩ filter, we will never observe that the photon is in the | ↑⟩state.

5.5.1 Quantum key distribution BB84

Researchers have used the quantum mechanics to design key distributionschemes which are not depending on computational security. We introduceone of such schemes BB84 developed by Charles Bennett and Gilles Brassardin 1984.

We need to define a quantum bit, known as a qubit. In a two-dimensionalcomplex vector space, choose a pair of orthogonal vectors of length one, callthem |0⟩ and |1⟩. A qubit is a unit vector in this vector space. For thedemonstration, we can think of a qubit as a polarized photon. We havechosen |0⟩ and |1⟩ as notation to conveniently represent the 0 and 1 bit,respectively. The other qubits are linear combinations of these two bits. Soa qubit can be represented as a|0⟩+b|1⟩, where a and b are complex numberssuch that |a|2 + |b|2 = 1.

To establishing a secret key, Alice and Bob need two channels: on quan-tum channel and one classical communication channel. Both channels arepublic. A quantum channel is one through which they can exchange polar-ized photons. The classic channel will be used to send ordinary messages toeach other.

Two bases are chosen: B1 = {| ↑⟩, | →⟩} and B2 = {| ↖⟩, | ↗⟩}. Alicestarts the establishment of a message by sending a sequence of bits to Bob.

5.5. QUANTUM TECHNIQUES IN CRYPTOGRAPHY 99

Alice’s bit 0 1 1 0 1 0 0 1 0 1 0 1Alice’s basis + + × + × × × + + × + ×Photon polarization ↑ → ↗ ↑ ↗ ↖ ↖ → ↑ ↗ ↑ ↗Bob’s measure + × × + + × + × + × × +Shared key 0 1 0 0 0 1

Table 5.1: BB84 key distribution

For each bit, Alice will randomly choose a base. If B1 is chosen, then sheencodes 0 as | ↑⟩ and 1 as | →⟩. If B2 is chosen, then she encodes 0 and 1using the two elements of B2.

When Alice sends a photon, Bob randomly chooses measure with respecteither basis B1 or B2. In this way, Bob obtains an element of that choiceof basis as the result of his measurement. Bob records the measurementshas made and keeps them secret. He then tells Alice the basis with whichhe measured each photon. Alice responds to Bob by telling him which baseswere the correct bases for the polarity of the photons that she sent. They keepthe bits that uses the same bases and discard the other bits. Since two baseswere used, Alice and Bob will agree on roughly half of the amount of bitsthat Alice sent. They can then use these bits as the key for a cryptographicsystem.

We now use a small example to explain the idea. To simplify the dis-cussion, we use the following notations. So we use + to denote basis B1 ischosen to encode (× denote basis B2 is chosen).

Basis 0 1+ ↑ →× ↖ ↗

Now suppose Alice creates random bits: 011010010101 and randomly selectsbases as in table 5.1. Bob measured the photon using randomly selectedbases. Then both of them send the basis sequences they used. In this way,they established the shared key 010001.

Now if Oscar tries to eavesdrop the communication. To get the infor-mation about the photons Alice sent to Bob, Oscar also chooses randombases to measure the polarization of photons. Then Bob may obtain wronginformation about the key. We explain that situation in Table 5.2.

Therefore after Alice and Bob obtained the common key, they will selectpartial key bits at random positions and check the correctness of these bits.


Alice’s bit 0 1 1 0 1 0 0 1 0 1 0 1Alice’s basis + + × + × × × + + × + ×Photon polarization ↑ → ↗ ↑ ↗ ↖ ↖ → ↑ ↗ ↑ ↗Oscar’s measure + × + × + × × + + × + ×Photon polarization ↑ ↑ → ↖ → ↖ ↖ → ↑ ↗ ↑ ↗Bob’s measure + × × + + × + × + × × +Shared key 0 0 1 0 0 1Errors ? ?

Table 5.2: BB84 key distribution with attackers

If there is error, then the key will be discarded. Otherwise, the remained bits(unreleased bits) will be used as the key. In this example, if the random bitsincluding the second or third bit, they will found that the key is wrong.

If the length of the key is long enough and the randomness that Alice andBob used are good, then the probability that they cannot find the error isvery small.

Note that the BB84 does not include the communication authentication.It means that the man-in-the-middle attacks needs to be considered. Thereare other quantum key distribution proposals. The security of quantum keydistribution does not depend on difficult mathematical problems, that is avery important advantage comparing to the public key distribution schemes.On the other hand, there are still many kinds of possible attacks for quantumkey distributions which have not been fully discussed in cryptography society.

5.5.2 Shor’s factoring algorithm

Chapter 6

Remote Access Control

We have learnt a lot of cryptosystems, authentication schemes and othersecurity programs. Now we start to consider how to apply these techniquesto network security. In fact, there are still a lot of things need to considerwhen we try to apply the security programs discussed in precious chapters.

In this chapter we discuss remote access controls. However, we first needto discuss general access controls. We will mainly discuss access controlby passwords. Although there are other access control methods such asbiometric authentications and behavioral authentications. Examples of bio-metric authentications are using fingerprinting scanner, hand geometry scan-ner, retinal scanner iris scanner etc. Examples for behavioral authenticationare handwritten signature verifications, voice-to-print technologies etc. Us-ing password to control accessing computer and network is a most popularmethod.

6.1 UNIX Password Systems

A password system is an important tool to control the access of a host com-puter. Since the UNIX system is a multi-user operating system, it applieda password system. The purpose of a password is used to protect a user’sprivacy, so that other users cannot access his account. So a password shouldbe kept in secret that other users cannot see it. On the other hand, when theuser uses the password, the computer should be able to check the correctnessof the password. So there should be some information stored in computerfor the verification of the passwords.

101

102 CHAPTER 6. REMOTE ACCESS CONTROL

The UNIX system uses function crypt(3) to encrypt user’s password.crypt(3) function is based on DES. It takes user’s password (8 7-bit ASCIIcharacters) as the encryption key and uses it to encrypt a 64-bit block ofzeros. Then the resulting ciphertext is encrypted using the password as akey again. The process is repeated a total of 25 times. The procedure can bedescribed as follows. Let the password be PW . The algorithm of passwordencryption is as in Figure 6.1.

O0 = 00 · · · 0.For i = 1 to 25 doOi = ePW (Oi−1)

Figure 6.1: Password Encryption

The final 64 bits are unpacked into a string of printable characters that arestored in the etc/passwd file or etc/shadow file. For example the followingis a record in etc/passwd:

guest:x:1001:10:limited user:/export/home/guest:/bin/sh

This record indicates that the user name is guest, password is requested,user directory is /home/guest and the shell he used is /bin/bash.

A record in etc/shadow looks like:

guest:541e3S7LBx03E:12109:5:30:5:10:12144:

The string 541e3S7LBx03E is the encrypted password record.When a user logs in, the computer (login) calls crypt(3) and encrypts

with the user’s password as a key. The output is compared with the recordof the passwd. The user is accepted only if the two values are the same.

In practice, crypt(3) also adds some random number as salt of the pass-word when a user creates a password. The password will concatenate withthe salt before it is encrypted. The salt is also recorded in the file. Nexttime, when a user logs in using user’s ID, the computer first gets the saltfrom the file and then encrypts the password provided by the user. In thisway, the salt will modify the password record so that even two users use the

6.2. ONE TIME PASSWORD 103

same passwords, their records are different. The salt also increases the lengthof a password.

There are some password cracker programs which can search password byguessing the password or using a password dictionary. So a password mustbe meaningless and it should be changed frequently. The password shadowfile (/etc/shadow) is used to control password aging. In the above example,numbers 5:30:5:10 are used to control password lifetime. A good passwordshould meet the following criteria:

• Be at least 8 characters in length.

• Contain both upper and lower case characters.

• Contain at least one number.

• Contain at least one special character.

• Not based upon a dictionary word.

Some method can be used to create password met the above rules, whichis also easy to remember. For example you may think about a sentence (butit is kind of unique) such as “My girl friend Patricia is always asking me forhelp”. Then you can use the following password:

MgfPia?m4h.

In some cases, hash function is used for password. For example MD5is used in Linux so that the password can be any length. The resulting128-bit digest is used as a key for encryption. In this case, a long nonsensesentence or phrase can be used as a password. For example: I jumped

to the Moon and saw many beautiful ladies swimming there! mightbe a good password. Using a long sentence or phrase as a password needconsider an attack called racing attack which we will discuss in next sectionwhen we consider one time password.

Some UNIX system now uses bigcrypt() or crypt16() that uses 16 ormore significant characters as a password.

6.2 One Time Password

It is more difficult to defend the password over a network, since some snifferprogram can capture and record characters sent over the network. So some-


one can eavesdrop on network connections to obtain login IDs and passwordsof legitimate users.

One method used for protecting password is to use one time password(OPT). A one time password only can be used one login. So when someonecatches a password over the net, the password is already expired.

To apply one time password, we need to change login program. Anotherway used in UNIX system is to replace the user’s login shell with a specializedprogram to prompt for the one time password. In this case, when a user logsin, he is first asked for the password and then is asked for the one timepassword. If an incorrect password is entered, the program will log the userout.

Now we need some method to create one-time password. Several methodswere used for one-time password.

One method is to use a token card. A token card is a small card orcalculator with a built-in programmed authentication functions and a serialnumber. A token card can be used to generate one-time password. Thefollowing two cards are examples.

• SECURID: A small card displays a number that changes every 30-90seconds. The number that is displayed is a function of the current timeand the ID of that particular card, and is synchronized with the remoteserver. Some version has a keypad which is used to enter a personalidentification number code (PIN). This card is simple and small. Butthe server should keep the time synchronized with the card.

• SecureNet key: A small device looks like a calculator. When the usercontact the remote server, the server displays a number as a challenge.The user then type the challenge number into the card, along with itsPIN. The card will display the one-time password. The SecureNet keycard can be programmed to self-destruct if incorrect PIN is enteredmore than a number of times.

Another method to create one-time password is to use a codebook. Thisis a list of passwords that are used, one at a time, and then never reused.For example, a program called S/Key can used to create a codebook. Itcan either run the program to generate a sequence passwords on a portablecomputer or print out a listing as a paper codebook.

In 1998, A one-time password system was published as RFC 2289 (whichis a revision of RFC 1938). This system uses a standard hash function such

6.3. SECURE SHELL 105

as MD4, MD5 or SHA-1. To create a one-time password, server sends achallenge message to user. The syntax of the challenge is

otp-<algorithm ID><sequence integer><seed>

where seed consists of 1 to 16 purely alphanumeric characters. An exampleof an OPT challenge is : otp-md5 487 dog2.

Then the user chooses a secret pass-phrase which consists at least 10characters. The pass phrase is concatenated with the seed. The result of theconcatenation is passed through the secure hash function N times, where Nis specified by the user. The resulting digest is the one-time password record.The next one-time password to be used is generated by passing through thesecure hash function N − 1 times.

To authenticate the user, the server passes the password through the se-cure hash function once and compares the result with the stored previousOTP. If the result of the operation matches the previous OPT, the authenti-cation is successful and the accepted one-time password is stored for futureuse. In this way, a pass-phrases can be used for N − 1 times.

The security of this system depends on the hash function’s one-way prop-erty. The seed used here enables the user to use the same secret pass-phrasefor different machines.

Since one-time password only can be used once, it does not need to protectagainst eavesdropping. However, it is possible for an attacker to listen to mostof a one-time password, guess the remainder, and then race the legitimateuser to complete the authentication. The speed of human typing is muchslower than the computer generating. Multiple guesses against the last wordof the six-word format are likely to succeed. So we need some method toprotect against the race attack. One method is to prevent a user from startingmultiple simultaneous authentication sessions. This means that once thelegitimate user has initiated authentication, an attacker would be blockeduntil the first authentication process has completed. In this case, a timeoutis necessary to thwart a denial of service attack.

6.3 Secure Shell

Recently, another approach for remotely accessing a computer is to use SSH(secure shell) protocol. SSH provides support for secure remote login, securefile transfer, and secure TCP/IP and X11 forwarding. It can automatically


encrypt, authenticate, and compress transmitted data.The main idea of SSH is to establish a common key between a client and

a server using secure key exchange technique first. The followed communi-cations are then encrypted and authenticated. So the main idea is not verycomplicated. However, as a real application, we will see that many thingsneed to be considered more careful in details.

SSH consists of three major components:

• The Transport Layer Protocol provides server authentication, confiden-tiality and integrity with perfect forward secrecy.

• The User Authentication Protocol authenticates the client to the server.

• The Connection Protocol multiplexes the encrypted tunnel into severallogical channels.

SSH is widely used now although it is still in a developing stage. In mostcases, old protocols such as telnet and ftp are substituted by SSH. We willnot discuss the details of these three protocols, but give some descriptionof the main security considerations of SSH. These descriptions are based onInternet-Draft written by secsh group. Recently, SSH has been publishedas RFC 4251-4256 (January 2006).

The Transport Layer Protocol can be described as follows. In SSH, theserver listens for connections (on port 22). The client initiates a connection.When the connection has been established, both sides do the following. Inwhat follows, C denote the client and S denote the server.

• Send an identification string to each other. The main contents of thestring is the version of SSH and the version of software they used. Anexample is as follows.

SSH-2.0-billsSSH 3.6.3q3<CR><LF>

In this example, the user uses protocol version 2.0 and a softwarebillsSSH 3.6.3q3. The identification string must be terminated bya single Carriage Return (CR) and a single Line Feed (LF) character(ASCII 13 and 10, respectively).

• Both side send out a KEXINIT packet. This packet includes: cookie(random bytes), list of algorithms supported by the machine such as key


exchange algorithms, encryption algorithms, MAC algorithms, com-pression algorithms, languages. All the algorithms are listed in orderof preference. This packet is used for each side to choose the samealgorithm they will use later. The purpose of the cookie is to make itimpossible for either side to fully determine the keys and the sessionidentifier.

• Run key exchange program. For example the following Diffie-Hellmankey exchange can be used (p, q, α is defined as in Section 5.3).

1. C generates a random number x, (1 < x < q) and sends the valuee = αx mod p to S.

2. S generates a random value y, (0 < y < q) and computes f =αy mod p, K = ey = αxy mod p and

H = hash(VC ||VS||IC ||IS||KS||e||f ||K),

where VC , VS are the version strings for C and S respectively,IC (IS) is the payload of C’s (respectively S’s) KEXINIT, KS isS’s public key used to verify the signature. A payload means theuseful contents of the packet. Then S computes the signature son the message H and sends KS||f ||s to C.

3. C checks KS from a local database or some trusted certificationauthority. C computes K = fx mod p and

H = hash(VC ||VS||IC ||IS||KS||e||f ||K).

Then C verifies the signature s.

K is the session key. A session key should be re-changed after sometime. It is recommended that the keys are changed after each gigbyteof transmitted data or after each hour of connection time, whichevercomes sooner.

• User Authentication protocol and connection protocol may start afterthe key exchange.

• C requests a service from S and S provides the service. In this stage,all the communications should be encrypted and authenticated.


• Either party sends out a disconnection message.

In each step of the communication, if any party finds something wrong, thenthe connection will be broken.

All packets following the identification string use the following binarypacket protocol.

PKL PDL Payload Padding MAC

The fields of the packet is as follows. The total size of the packet is 35, 000bytes or less.

• PKL (32 bits): The length of the packet (in bytes), not including MACand PKL field itself.

• PDL (8 bits): The Length of padding (in bytes).

• Payload (n1 bytes): The useful contents of the packet. If compressionhas been negotiated, this field is compressed. n1 = PKL-PDL - 1.

• Padding (PDL bytes): Added random padding bytes, such that thetotal length of the packet is a multiple of the cipher block size or 8,whichever is larger. The length of the padding (PDL) is between 4bytes to 255 bytes.

• MAC: If message authentication has been negotiated, this field containsthe MAC bytes. Initially, the MAC algorithm is “none”.

The encryption method required in SSH is 3-DES (3 keys) of CBC mode.Other method recommended for SSH are AES-128, AES-192, AES-256. Op-tional encryption algorithms can be used in SSH such as: Blowfish, Twofish,Serpend, IDEA, CAST. The compression method currently defined is zlib.The message authentication used in SSH is HMAC. The hash function usedis SHA-1, but the MD5 is still an option. So we first use HMAC to get the au-thenticated digest of a message m. Then the message m is encrypted by thedecided encryption method. The actually transmitted data is the encryptedmessage together with the authenticated digest. The signature scheme usedin SSH is DSS.

SSH authentication protocol runs on top of the SSH transport layer pro-tocol and provides a single authenticated tunnel for the SSH connection pro-tocol. The service name for this protocol is “ssh-userauth”. Basically, theserver sends authentication requests using the following format:


SSH-MSG-USERAUTH-RQUEST (code 50)

user name

service name

method name

method specific fields.

The server should have a timeout for authentication, and disconnect ifthe authentication has not been accepted within the timeout period. If theauthentication is successful, then the server sends out a response:

SSH-MSG-USERAUTH-SUCCESS (code 52)

Otherwise the server responds:

SSH-MSG-USERAUTH-FAILURE (code 51)

authentications that can continue

partial success

where authentications that can continue is a comma-separated list ofauthentication method names that may productively continue the authenti-cation dialog. partial success is a boolean value of true or false.

There are three authentication methods used in SSH. One is the public keyauthentication method. In this method, the user uses a public key signaturescheme to sign on a message that contains session identifier, user name, publickey algorithm name, public key to be used for authentication etc. When theserver receives this message, it checks whether the supplied key is acceptablefor authentication, and if so, it then check whether the signature is correct.

The second method is password authentication method. In this method,the user needs to transmit the password to server. Since this transmittedpacket is on the transport layer, it is encrypted. In this case, both the serverand the client should check whether the underlying transport layer providesconfidentiality (i.e., if encryption is being used).

The third method is host-based authentication. This form of authentica-tion is optional, since it is not suitable for high-security sites. It is similarto the UNIX rhosts and hosts.equiv styles of authentication, except thatthe identity of the client host is checked more rigorously. In this method,the client sends a public key signature with the key of the client host. Themessage signed contains session identifier, user name, public key algorithm


for host key, public host key and certificates for client host, client host name,etc. The server verifies that the host key actually belongs to the client hostname in the message, that the given user on that host is allowed to log in,and that the signature is a valid signature on the appropriate value by thegiven host key. If it is possible, the server performs additional checks to ver-ify that the network address obtained from the network matches the givenclient name.

The SSH connection protocol has been designed to run on top of the SSHtransport layer and user authentication protocols. It provides interactivelogin session, remote execution of commands, forward TCP/IP connections,and forwarded X11 connections. All of these channels are multiplexed into asingle encryption tunnel. We will omit the details of this protocol, since themost security considerations are addressed in transport layer protocol anduser authentication protocol.

The design of protocols of SSH considered security, efficiency and flexi-bility. It is intended to be implemented at the application level.

Chapter 7

E-Mail Security

Electronic mail is one of the most heavily used network-based applications.With the explosively growing reliance on e-mail, there grows a demand forsecurity e-mail systems. In an e-mail system, there are a sender and a re-ceiver. However, usually the receiver is not on-line. So in an e-mail system,usually there is no massage interchange when the sender sends an e-mail.On the other hand, some e-mail system (e.g., SMTP) only can deliver ASCIIcodes. We need to consider how to provide authentication and confidentialityservices in this situation. We will examine two most widely used systems.

7.1 Pretty Good Privacy

Pretty good privacy or PGP was developed by Phil Zimmermann. PGP usespublic key encryption, signature scheme, hash function, secret key encryp-tion, compression function and e-mail compatibility. We can outline thealgorithm as follows.

When Alice (A) wants to send a message M to Bob (B), she does thefollowing.

1. Computes H(M), where H is a hash function.

2. Signs the digest. So A computes sigA(H(M)).

3. Compression the message. A computes CM = zip(sigA(H(M))||M).

4. Chooses a session key K (random number) and encrypts CM using thesession key. A computes eK(CM).

111

112 CHAPTER 7. E-MAIL SECURITY

5. Uses B’s public key to encrypt K. She computes eKB(K).

6. Concatenates eK(CM)||eKB(K).

7. Uses Radix-64 conversion (explained later) to convert eK(CM)||eKB(K)

to printable characters.

8. Sends out the above message. The message is split into segment beforesending, if necessary.

Bob does the following, when he received the message.

1. Uses Radix-64 to convert the message into binary version.

2. Decrypts eKB(K) to obtain session key K.

3. Decrypts eK(CM) to obtain CM .

4. Unzips CM to obtain sigA(H(M))||M .

5. Computes H(M) from M

6. Verifies sigA(H(M)).

The PGP has many nice features. We give some further discussions aboutthe operations of PGP.

• Confidentiality. PGP uses secret session key to encrypt (CAST, IDEA,AES, Blowfish, 3-key DES etc.) and the session key actually is a one-time key. The session key is sent by public key encryption (RSA orElGamal). So key exchange is not needed and we don’t need hand-shaking to assure that both sides have the same session key.

• Authentication. PGP uses a hash function (SHA-1 or MD5) to obtaindigest of the message. Then a public key signature scheme (RSA orDSS) is used to sign the digest.

• Compression. PGP uses zip (or zlib) to compression the message andthe signature. A message encryption is applied after compression tostrengthen the security. This is because the compressed message hasless redundancy than the original text. The basic idea of zip com-pression is to replace a repeated string by a short code. For example,consider the following text

7.1. PRETTY GOOD PRIVACY 113

the more he read the letter the more he confused by the

letter they wrote

The zip program will search the text to find repeated sequences. Thesecond appearance of “the more he ” will be replaced as a code (18, 10),where 18 is a pointer pointed to 18 characters before and 10 is the lengthof the sequence. Similarly, the second appearance of “the letter

the” will be replaced as a code (38, 16). In this way, the compressedmessage will be shorter and have less redundancy than the originalmessage.

• E-mail compatibility. Since many email system only permits the use ofblock consisting of ASCII text, PGP uses Radix-64 (also called base 64)to convert the raw 8-bit binary stream to a stream of ASCII charactersas follows.

Suppose there is a 24-bit:

001000 110101 110010 010001

which is divided into four 6-bit. Each of the 6-bit can be convertedinto a number between 0 and 63. In the above example, the 24-bit isconverted to numbers 8, 53, 50, 17. Then the following correspondenceis used. The numbers from 0 to 25 are corresponding to the charactersfrom A to Z. The numbers from 26 to 51 are corresponding to thecharacters from a to z. The numbers from 52 to 61 are correspondingto the characters from 0 to 9. The number 62 is corresponding tothe character + and the number 63 is corresponding to the character /.Thus the numbers 8, 53, 50, 17 are corresponding to I1yR. If the binarystream is not divided by 6, then four or two “0” need to padded. Inthese cases, two or one “=” are padded as a indicator. Finally, radix-64 outputs the characters as 8-bit ASCII codes. So radix-64 expands24-bit to 32-bit. However, since PGP uses zip compression which is ofan average compression rate of about 2.0, the overall compression isabout one-third.

Alice in PGP involves three types of keys: a session key, her keys of a pub-lic key system and Bob’s public key. So we need to consider key managementand public key certificates.

For a session key, PGP defined a random number generation algorithm.CAST-128 uses a key of size 128 bits.


Since a public key system has two keys, one public key and one private key,how to securely store a private key is a problem. In PGP, when the systemgenerates a new public/private key pair, it asks the user for a passphrase.The SHA-1 is then used to the passphrase to get a 160-bit digest. Thisdigest is used as a key to encrypt the private key of the public system. Theciphertext is then stored in a file (called secret-key ring or private key ring).Subsequently, when the user wants to retrieve the private key, he or she mustsupply the passphrase. PGP will retrieve the encrypted private key, generatethe digest of the passphrase, and decrypt the ciphertext to obtain the privatekey.

The structure of private-key ring is as follows, where the records areindexed by Key ID or User ID.

Timestamp Key ID Public Key Encrypted private key User ID...

......

......

For the public key, there are more things we need to consider. First apublic key ID is used in PGP to indicate which public key is used. This isnecessary if Bob has more than one public keys. PGP uses the last 64 bits ofthe public key as key ID. Most difficult and complicated thing for the publickey is how to certificate it. PGP uses a referral method for certification. PGPuses a public-key ring to record public keys of other users that are known tothis user. In each entry of the record, several fields are listed which includetimestamp (the date/time of the generating of this entry), key ID, publickey, user ID (the owner of this key), owner trust (a trust flag indicating theuser’s assessment of the trust to the owner of the public key), key legitimacy,signature(s), signature trust, etc. A certificate of PGP can be signed byseveral users. These signatures are collected in signature fields. For eachsignature there is a trust flag of the signature recorded in signature trustfield. Based on these information, PGP computes a value of the trust levelto the public key and records the value at the legitimacy field. The higherthe level of trust, the stronger is the binding of this user ID to this key. Thestructure of a public-key ring is as follows.

Time- Key Public Owner User Key Signa- Signaturestamp ID key trust ID legitimacy tures trusts

......

......

......

......

7.1. PRETTY GOOD PRIVACY 115

The PGP also considers how to revoke public keys. Usually a user willrevoke a key after some time or by some reasons. On the other hand, thesystem will not let a user revoke other users’ public keys.

The format of PGP message is described in Figure 7.1

Key ID of recipient’s public keyx

EKB(K) |

Timestampx x

Key ID of sender’s public key | |Leading two octets of message digest

SigA( message digest ) R64File name ZIP EK

Timestamp

Data | | |y y yNotation:KB: Receiver’s public keyK: Session keySigA: Sender’s signature

R64: Radix-64

Figure 7.1: General format of PGP message

This format includes three components: session key, signature, and mes-sage.

The timestamp indicates the time at which the signature (or the message)was made. The leading two octects of message digest is used for the receiverto check the signature.

The message component and optional signature component may be com-pressed using ZIP and may be encrypted using a session key. The entireblock is usually encoded with the redix-64.

In the implementation of PGP, several requirements are considered suchas the flexibility which allows the user using or not using encryption or au-thentication, the revoking public keys etc. We omitted the details here.


RFC 2440 described a standard of PGP called OpenPGP. RFC 3156describes how the OpenPGP Message Format can be used to provide privacyand authentication using the Multipurpose Internet Mail Extensions (MIME)security content types described in RFC 1847.

7.2 S/MIME

Secure/Multipurpose Internet Mail Extension (S/MIME) is another securityenhanced email system. S/MIME is similar to PGP which uses signaturescheme, session key and secret key encryption. S/MIME version 3.1 messagespecification is given in RFC 3851. It appears likely that S/MIME will emergeas the industry standard for commercial and organizational use, while PGPwill remain the choice for personal use.

MIME is specified in RFCs 2045 through 2049. MIME is an extension ofSimple Mail Transfer Protocol (SMTP) that is specified in RFC 822. MIMEis more flexible and powerful than SMTP. MIME uses different transfer en-codings such as 7-bit, 8-bit, binary, base64, etc. So MIME can be used tosend texts, mixed messages, images, video and audio files, executable files,etc, while SMTP only can transfer ASCII codes.

S/MIME is very similar to PGP. It also offers the ability to encrypt andauthenticate messages. The hash functions used in S/MIME are SHA-1 andMD5. The signature schemes used in S/MIME are DSS and RSA signaturescheme. The public key encryption system used is ElGamal cryptosystem orRSA encryption with key sizes 512 bits to 1024 bits. The data encryptionmethod used is triple DES or RC2. In S/MINE version 3.1, more advancedsecurity algorithms are included, such as SHA-256, SHA-384, SHA-512, AES,etc.

S/MIME provides the following functions

• Enveloped data: This consists of encrypted content of any type andencrypted content encryption keys for one or more recipients. To pre-pare an enveloped data, the sender generates a pseudo random sessionkey and then for each recipient, encrypted the session key with therecipient’s public RSA key. For each recipient, the sender preparesan RecipientInfo that contains the sender’s public key certificate, anidentifier of public key system used to encrypt the session key, and theencrypted session key. The message content is encrypted using the ses-

7.2. S/MIME 117

sion key. The RecipientInfo blocks followed by the encrypted messagecontent constitute the enveloped data. it is then encoded into base64.

• Signed data: A digital signature is formed for the message. The senderselects a hash function and computes the digest of the message content.Then the sender sign the message digest using a signature scheme. Ablock known as SignerInfo is formed, which contains the signer’s publickey certificate, an identifier of the hash function, an identifier of thesignature scheme and the signature. The content and the SignerInfoare then encoded into base64.

• Clear-signed data: Use the same method of signed data to form asignature. However, in this case, only the digital signature is encodedinto base64. The message content is not encoded so that the recipientswithout S/MIME can view the message, although they cannot verifythe signature. The data consist two part, one part is the messagecontent and the other part is an attached digital signature.

• Signed and enveloped data: Signed-only and encrypted-only entitiesmay be nested, so that encrypted data may be signed and signed dataor clear-signed data may be encrypted.

Since there is no interaction between a sender and a recipient when asender sends an e-mail, there are some decisions about the algorithm usedfor the content to be made by the sender. First, the sending agent mustdetermine if the receiving agent is able to decrypt the message using a givenencryption algorithm. Second, if the receiving agent is only capable of ac-cepting weakly encrypted content, the sending agent must decide if it isacceptable to send using weak encryption. To support this decision process,a sending agent may announce its decrypting capabilities in order of prefer-ence. A receiving agent may store that information for future use. Usually,the sending agent should use the first method in the intended receiver’s listor the method used on the last message received from that intended recipi-ent. If the sending agent has no knowledge about the decryption capabilitiesof the intended recipient, then the sending agent uses triple DES when thesender is willing to risk that the recipient may not be able to decrypt themessage, or uses RC2 otherwise.

The certificates used in S/MIME is X.509.


RFC 2634 defined Enhanced Security Services for S/MIME, which is aset of extensions to S/MIME to allow signed receipts, security labels, andsecure mailing lists.

Chapter 8

Web Security

Web security includes three parts: security of server, security of client, andnetwork traffic security between a browser and a server. Security of serverand security of client are problems of computer security. In this chapter weconsider the traffic security.

Network security can considered at different levels, for example:

• Network level: Use IPSec.

• Transport level: Use SSL (Secure Socket Layer) or TLS (TransportLayer Security).

• Application level: Use PGP, S/MIME, SET(Secure Electronic Trans-action).

In this chapter we discuss some schemes related to the web security.

8.1 SSL

Secure Socket Layer (SSL) is developed by Netscape. The main parts of SSLcontains several protocols: SSL Handshake Protocol, SSL Change CipherSpec Protocol, SSL Alert Protocol, SSL Record Protocol. We give the outlineof these protocols in the follows.

(a) SSL Record Protocol

This protocol defines how to transmit an application message in SSL. Thesender of a message does the following:

119

120 CHAPTER 8. WEB SECURITY

• Fragmentation: The message is fragmented into blocks of 214 bytes orless.

• Compression: (optional).

• Add MAC: Compute a MAC using a shared secret key K and addthe resulting MAC to the fragment. The MAC function used in SSLis similar to HMAC. A hash function h and a shared secret key K isused. The MAC value is computed as follows.

h(K||pad2||h(K||pad1||seqnum||type||length||M))

where seqnum is the sequence number of the message, type is the high-level protocol used to process this fragment, length is the length of thefragment and M is the content of the fragment. pad1 and pad2 arefixed paddings which are repeating of fixed bytes.

• Encrypt: Encrypt the compresses message plus the MAC using sym-metric encryption (block cipher or stream cipher). The block cipherused in SSL are IDEA, DES, 3-DES, RC4, Fortezza. The stream ci-pher used are RC4s.

• Append SSL record header: The header consists: Content Type (8bits), Major Version (8 bits), minor version (8 bits) and CompressedLength (16 bits). The compressed length is the length of the plaintext(or compressed plaintext) fragment in bytes. The maximum value is214+2048. The content types are change cipher spec, alert, handshakeand application data.

The SSL record format is illustrated in Figure 8.1.The following Change Cipher Spec Protocol and Alert Protocol are en-

capsulated by Record Protocol.

(b) Change Cipher Spec Protocol

This protocol consists of a single byte with the value 1. This messagecauses the pending state to be copied into the current state, which updatesthe cipher suite. Usually, it is sent during the handshake sequence (we willdiscuss Handshake protocol later) after key exchange and certificate certifi-cate verification (optional).

8.1. SSL 121

Content Type Mj Version Mn Version Compressed Length

Plaintextor compressed text

MAC (0, 16 or 20 bytes)

Note: The message except the header is encrypted.

Figure 8.1: SSL Record Format

(c) Alert Protocol

Each message of this protocol consists of two bytes. The first byte takesthe value waning (1) or fatal (2). The second byte contains a code whichindicates the specific alert such as unexpected message, bad record mac,bad certificate, etc.

(d) Handshake Protocol

This protocol is more complicated than other SSL protocols. The protocolconsists of a series of messages exchanged by client and server. Each messagehas three fields:

• Type (1 byte): Indicates the message type such as hello request, client hello,server key exchange, certificate verify, etc.

• Length (3 bytes): the length of the message in bytes.

• Content (≥ 1 byte): The parameters associated with this message.

The protocol can be viewed as having four phases of exchanges. Now wegive description of these exchanges.

Phase 1. Establish Security Capabilities

The client initiates the exchange by sending a client hello message (in SSLrecord format) which contains: version, random number (nonce), session ID,


CipherSuite which is a list of cryptographic algorithms supported by theclient, compression method which is a list of compression methods the clientsupports.

After sending the client hello message, the client waits for the server hellomessage which contains the same parameters as the client hello message butonly one CipherSuite and one compression method are chosen.

The elements of Cipher Suite are key exchange method and CipherSpecwhich includes cipher algorithm, MAC algorithm, cipher type (stream orblock), hash size, key material, IV size etc.

Phase 2. Server Authentication and Key Exchange

Server first sends its certificate message. Then a server key exchange mes-sage may be sent if it is required. The certificate request message may be fol-lowed to request the client’s certificate. Finally, server sends the server donemessage which indicates the end of server hello.

Phase 3. Client Authentication and Key Exchange

Upon receipt of the server done message, the client should verify thecertificate and server hello parameters. If everything is fine, then the clientsends back messages to the server. First the client sends certificate messageor no certificate alert according whether the server requested a certificate.Next the client sends the client key exchange message which contains a 48-byte pre-master secret if RSA is used or public parameters of Diffie-Hellmanscheme. We will explain pre-master secret later. Finally, the client may sendsa certificate verify message which provides verification of a client certificate.

Phase 4. Finish

This phase completes the setting up of a secure connection. The clientsends a change cipher spec message and copies the pending CiperSpec intothe current CipherSpec. Then the client sends the finished message un-der the new algorithms, keys, and secrets. The finished message is hashvalue of master secret, handshake message (which consists of all of the datafrom handshake messages up to but not including this message) and someother codes. The master secret is computed from the pre master secret. Themaster secret is then used to generate the session keys which are used forencryption and authentication.

In response to these messages, the server sends its own change cipher spec

8.1. SSL 123

message and its finished message. At this point, the handshake is completeand the client and the server may begin to exchange application layer datausing the master secret as session key.

In SSL, the master secret is created as follows. First the client and theserver establish a pre master secret. There are two methods to do that. Onemethod is using RSA system. In this case, the client generates a 48-bytepre master secret, encrypts that with the server’s public RSA public key andsends the ciphertext to the server. Another method is using Diffie-Hellmankey exchange scheme to create the pre master secret.

After both sides have the pre master secret, they compute the master secretas follows.

MD5(pre_master_secret||SHA(’A’||pre_master_secret||

ClientHello.random||serverHello.random))||

MD5(pre_master_secret||SHA(’BB’||pre_master_secret||


MD5(pre_master_secret||SHA(’CCC’||pre_master_secret||

ClientHello.random||serverHello.random))

where ClientHello.radom and serverHello.random are two nonce values ex-changed in the initial hello messages.

The common secret keys used for authentication and block encryptionare formed from master secret as follows.

MD5(master_secret||SHA(’A’||master_secret||


MD5(master_secret||SHA(’BB’||master_secret||


MD5(master_secret||SHA(’CCC’||master_secret||

ClientHello.random||serverHello.random))||...

until enough output for the key size.

TLS (Transport Layer Security) is an IETF standardization initiativewhose goal is to produce an Internet standard version of SSL. TLS is verysimilar to SSL. Netscape products also support TLS. Some difference of TLSfrom SSL are TLS using standard HMAC, TLS not supporting Fortezza, etc.TLS is described in RFC 3456.


8.2 Secure Electronic Transaction (SET)

SET is an open encryption and security specification designed to protectcredit card transactions on the Internet. SSL secures communications be-tween a client and a server. However, if we use SSL for credit card transac-tion, some problems might occur. For example, the information of a creditcard might be used by the server for some purpose not desired for the client.On the other hand, a client might supply an invalid credit card number. SETis designed as a secure credit card payment system over internet, which pro-tect both customers and merchants. SET is more complicated than SSL. Afull description of SET needs a hundred pages. In this section, we just givea brief description of SET.

SET participants include the following:

• Cardholder: who hold a payment card (credit card)issued by an issuer.A cardholder will use the card to purchase over the internet.

• Merchant: A person or organization that has goods or service to sellto the cardholder. A merchant that accepts payment cards must havea relationship with an acquirer.

• Issuer: A financial institution that provides the cardholder with thepayment card.

• Acquirer: A financial institute that establishes an account with a mer-chant and processes payment card authorizations and payments. Mer-chants will usually accept more then one credit card brand but do notwant to deal with multiple bankcard associations or with multiple is-suers. The acquirer provides authorization to the merchant that a givencard is fine. The acquirer also pays the merchant’s account and thenreimbursed by the issuer.

• Payment gateway: A function operated by the acquirer or a third partythat processes merchant payment messages. The payment gatewayinterfaces between SET and the existing bankcard payment network.

• Certification authority (CA): An entity that is trust to issue public keycertificates (X. 509) for card holders, merchants, and payment gate-ways.

8.2. SECURE ELECTRONIC TRANSACTION (SET) 125

NetworkPayment

gatewayPayment

AuthorityCertificate

Issuer

Acquirer

MerchantCardholder

Internet

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

Figure 8.2: SET components

The components of SET can be described as in Figure 8.2.Next we give an outline of the sequence of the events for a transaction

using SET.

1. The customer opens an account. The customer obtains a credit cardthat supports electronic payment and SET.

2. The customer receives a certificate. The customer receives an digitalcertificate (X. 509) signed by the bank. The certificate verifies thecustomer’s RSA public key and its expiration date. It also establishesa relationship between the customer’s key pair and his/her credit card.

3. Merchants have their own certificates. A merchant must have two cer-tificates for two public keys: one for signing messages and one for keyexchange. The merchant also needs a copy of the payment gateway’spublic-key certificate.

4. The customer places an order. The customer sends a list of the items to


be purchased to the merchant through web site, who returns an orderform containing the list of items, their price, and an order number.

5. The merchant is verified. The merchant sends a copy of its certificate,so that the customer can verify that he is dealing with a valid store.

6. The order and payment are sent. The customer sends both order andpayment information to the merchant, along with the customer’s cer-tificate. The payment is encrypted in such a way that it cannot be readby the merchant. The customer’s certificate enables the merchant toverify the customer.

7. The merchant requests payment authentication. The merchant sendsthe payment information to the payment gateway, requesting the au-thorization for this purchase.

8. The merchant confirms the order. The merchant sends confirmation ofthe order to the customer.

9. The merchant provides the goods or service.

10. The merchant requests payment. This request is sent to the paymentgateway, which handles all of the payment processing.

Now we discuss some interesting innovation introduced in SET: the dualsignature. The purpose of dual signature is to link two messages that areintended for two different recipients. In this case, the customer has twomessages: the order information (OI) and the payment information (PI). OIis sent to merchant while PI is sent to the bank. However, there must be alink between OI and PI. For example, a customer does not want the merchantto know the PI but the merchant need to know that the customer providedthe PI for the specific OI. SET uses a dual signature to solve that problem.Let h be a hash function (SHA-1). The dual signature (DS) is as follows.

DS = SigKc(h(h(PI)||h(OI))

whereKc is the customer’s private signature key. Then customer can give OI,h(PI) and DS to the merchant and give PI, h(OI) and DS to the bank. Bothmerchant and bank can verify the signature since they know the customer’spublic key of the signature scheme. However, the merchant cannot substitute

8.2. SECURE ELECTRONIC TRANSACTION (SET) 127

another OI in this transaction for its advantage, since it is difficult to findanother OI which has the same hash digest.

To encrypt the PI, the customer will choose a session key and uses thatkey for encryption. The session key is then encrypted using the paymentgateway’s public key. In this way, the merchant cannot decrypt the PI.However, the payment gateway can get the information after the merchantforwards these information to it.

SET provided 14 transaction types. We omit the details here. Unlike SSLand SSH, the cryptographic algorithms used in SET are fixed. It uses DES,RSA signature using SHA-1, HMAC based on SHA-1 and X. 509v3 digitalcertificate.

SET is a very comprehensive and complicated security protocol. It ad-dresses all the parties involved in typical credit card transactions. To realizeSET, every party needs to have some part of the software, even very expen-sive hardware. That is why SET is not widely spread although people believethat it is safe. How to simplify the SET while keep the main security featuresis still an open problem.


Chapter 9

IP Secure

Network architecture is usually explained as a stack of different layers. Fig-ure 9.1 explains the OSI (Open System Interconnect) model stack and IP(Internet Protocol) model stack. TCP is Transmission Control Protocol, IPis Internet Protocol, UDP is User Datagram Protocol, data link includingEthernet, PPP, FDDI etc.

OSI model IP model

Application ApplicationPresentation

Session TCP/UDPtransportNetwork IPData Link Data linkPhysical Physical

Figure 9.1: Network layer stack

We have seen some security protocols in application level (PGP, S/MIME,etc.) and Transport level (SSL, TLS). In this chapter, we investigate IP levelsecurity.

129

130 CHAPTER 9. IP SECURE

9.1 TCP/IP Protocol

The method of communication on the network is to send and receive chunksof data called packets. A packet is comprised of small chunks of data thateach layer appends onto that packet data it received from the layer directlyabove it.

A TCP/IP packet can be described as follows.

Link-H IP-H TCP-H Data Link-T

Where H means header of that layer, Link-T is the tail of the link. Usually,when a sending packet is formed, the application data is first generated, thendifferent headers for different layers are added. To secure communications,we need to encrypt the packets.

Network security encryption can be classified into two types.

• End-to-end encryption: The encryption process is carried out at thetwo end systems.

• Link encryption: The encryption process is carried in each link.

Figure 9.2 is a simple example of these two types of encryption.

Link encryption

RouterRouter

Internet

End−to−end encryption

Figure 9.2: Types of Encryption

End-to-end encryption is simple, but it cannot perform at a low levelof the communication hierarchy. The address of the message cannot be en-crypted, otherwise the packet-switching node cannot route the packet. Soend-to-end encryption cannot protect against the traffic analysis attack.

9.1. TCP/IP PROTOCOL 131

The link encryption can encrypt most data except the link control pro-tocol header. However, the router has to decrypt the data and then encryptit again.

IPSec considers the security at IP layer. It can be used in a firewall orrouter. It also can be used for individual users. So IPSec can be used for bothend-to-end encryption or link encryption. Since IPSec is below the transportlayer, it can be transparent to end users. So there is no need to change theapplication software or train users on security mechanisms.

Before discussing the IPSec, we need some knowledge of IP. An internetprotocol (IP) is used for transmit packets across multiple networks. Themain internet protocol is IPv4. The IP header of IPv4 is shown in Figure 9.3

0 4 8 16 19 31version IHL Type of Service Total Length

Identification Flags Fragment OffsetTime to live Protocol Header Checksum

Source AddressDestination AddressOption + Padding

Figure 9.3: IPv4 header

The size of the IPv4 header is a minimum of 20 octets, or 160 bits. Theitems in IPv4 header are as follows.

• Version (4 bits): The version of IP, the value is 4.

• Internet Header Length (IHL) (4 bits): Length of header in 32-bitwords. The minimum value is 5.

• Type of Service (8 bits): Provides guidance to end IP modules and torouters along the packet’s path about the packet’s relative priority.

• Total length (16 bits): Total IP packet length, in octets.

• Identification (16 bits): A sequence number identifies the packet, to-gether with the source address, destination address and user protocol.

• Flags (3 bits): Indicates whether it is the last fragment of the originalpacket.


• Fragment Offset (13 bits): Indicate where in the original packet thisfragment belongs, measured in 64-bit units.

• Time to live (8 bits): Specifies how long a packet is allowed to remainin the internet.

• Protocol (8 bits): Indicates the next higher level protocol.

• Header Checksum (16 bits): An error-detecting code (for the headeronly). Since some header fields may change during transit, this is rever-ified and recomputed at each router.

• Source Address (32 bits): Coded to allow a variable allocation of bitsto specify the network and the end system attached to the specifiednetwork.

• Destination Address (32 bits): Same characteristics as source address.

• Options (variable): Encodes the options requested by the sending user,such as security label, source routing, record routing, and timestamp-ing.

• Padding (variable): Used to ensure that the packet header is a multipleof 32 bits in length.

A new version of IP was developed as a standard by IETF (the InternetEngineering Task Force), which is known as IPv6. IPv6 header uses fewerfields than IPv4, that lets the router treat the packet faster. IPv6 providesmore space for source and destination addresses, which uses 16 bytes each(128 bits). An IPv6 also includes zero or more extension headers such ashop-by-hop option header, router header, fragment header, authenticationheader, encapsulating security payload header, destination option header,etc. Separated extension headers may be placed between the IPv6 headerand the upper- layer header in a packet. The IP header of IPv6 is shown inFigure 9.4.

IPv6 is still in developing.

IP-level security encompasses three functional areas: authentication, con-fidentiality and key management.

9.2. IPSEC DOCUMENTS 133

0 4 12 16 24 31Version Traffic class Flow label

Payload Length Next header Hop limit

Source Address

Destination Address

Figure 9.4: IPv6 header

9.2 IPSec documents

Documents of IPSec are developed by IETF as RFC standard. The docu-ments are divided into seven groups as follows.

• Architecture: Covers general concepts, security requirements, defini-tions and technology.

• Encapsulating Security Payload(ESP): Covers the packet format, packetencryption and, optionally, authentication.

• Authentication Head (AH): Covers the packet format and packet au-thentication.

• Encryption Algorithm: Describes various encryption algorithms usedfor ESP.

• Authentication Algorithm: Describes various authentication algorithmsfor AH and ESP.

• Key Management: Describes key management schemes.

• Domain of Interpretation (DOI): Contains values needed for the otherdocuments to related to each other.


We will not discuss all these documents, but select several most importantspecifications.

An important concept that appears in IPSec is the security association(SA). An association is a one-way relationship between a sender and a re-ceiver. If a two-way exchange is needed, then two SA are required. An SAis uniquely identified by three parameters.

• Security Parameters Index (SPI): A bit string assigned to this SA,which is carried in AH and ESP headers to enable the receiving systemto select the SA under which a received packet will be processed.

• IP Destination Address: This is the address of the destination endpointof the SA (end user, firewall or router).

• Security Protocol Identifier: This indicates whether the SA is an AHor ESP security association.

9.3 Authentication Header

The Authentication Header (AH) provides support for data integrity andauthentication of IP packets. The authentication header is defined as inFigure 9.5

0 8 16 31Next Header Payload Length Reserved

Security Parameters Index (SPI)Sequence Number

Authentication Data (variable)

Figure 9.5: IPSec Authentication Header

The fields of AH are as follows.

• Next Header (8 bits): Identifies the type of header immediately follow-ing this header.

9.3. AUTHENTICATION HEADER 135

• Payload Length (8 bits): Length of AH in 32-bit words, minus 2. Thedefault length of the authentication data field is three 32-bit words. Sothe default value of Payload Length is 4.

• Reserved (16 bits): For future use.

• Security Parameters Index (32 bits): Identifies a security association.

• Sequence Number (32 bits): A monotonically increasing counter valueto prevent replay attack.

• Authentication Data (variable, must be an integral number of 32-bitwords): Contains the Integrity Check Value (ICV), or MAC, for thispacket. The default length of this field is 3 32-bit word.

Sequence numbers are used for anti-replay service. An attacker mightobtain a copy of a packet and later transmits it to the destination. Thuswhen a new SA established, sender initializes a sequence number counterto 0. Each time that a packet is sent on this SA, the sender increases thecounter and place the value in the Sequence Number field. If the numberreaches to 232 − 1, a new SA with a new key needs to be set.

Note that IP is connectionless. So the packets may not be deliveredin order and some packets might be missing. So the IPSec authenticationdocument dictates that the receiver should implement a window of size W(default value of W is 64). The right edge of the window represents thelargest sequence number, N , received so far. For any packet with a sequencenumber in the range from N −W +1 to N that has been correctly received,the corresponding slot in the window is marked. When a packet is received,the receiver does the following.

• If the received packet falls within the window and is new, the MACis checked and the corresponding slot in the window is marked if theauthentication is good.

• If the received packet is to the right of the window, The MAC is check.If the MAC is good, the window is advanced so that this sequencenumber is the right edge of the window.

• If the received packet is to the left of the window, or if the authentica-tion fails, the packet is discarded.


A receiver’s window is shown in Figure 9.6

N − W N N + 1

When this packet is received window advances 1

Late packet is discarded

Marked if valid packet received

Figure 9.6: A Receiver’s Window

An ICV is a MAC (or HMAC) or a truncated version of a code producedby a MAC (or HMAC) algorithm. For example, an HMAC-MD5 or HMAC-SHA-1 is used to produce the code and then the first 96 bits is truncated. Theinput of the MAC algorithm includes those fields which will not be changedin transit (immutable) or that are predictable in value upon arrival at theendpoint. That includes immutable fields in IP header, AH header otherthan Authentication data and upper-level protocol data. The mutable fieldsare set to zero when an ICV is computed.

For example, in IPv4 header, the Internet Header Length (IHL) andSource Address are immutable. The Destination Address is predictable field.The Time to Live and Header Checksum fields are mutable fields, which arezeroed prior to compute ICV.

Note that the AH uses MAC, so there is a shared secret key. We willdiscuss the key management later.

There are two modes in which the IPSec authentication service can beused.

• Transport Mode: Used in end-to-end authentication (e.g., server toclient).

• Tunnel Mode: Used in end-to-intermediate authentication (e.g., work-station to firewall).

These two modes are explained in Figure 9.7

9.3. AUTHENTICATION HEADER 137

Internet

Router

Transport mode

Tunnel mode

Figure 9.7: IPSec modes

The position of AH at the packet is as follows. A simple packet beforeapplying AH looks like the following.

IPv4 IP-H TCP-H Data

IPv6 IP-H Extension H TCP-H Data

Then the packet after applying AH in transport mode is

IPv4 IP-H AH TCP-H Data

IPv6 IP-H ext H AH dest TCP-H Data

For the tunnel mode, the packet after applying AH looks as

IPv4 New IP-H AH orig IP-H TCP-H Data

IPv6 New IP-H ext H AH orig IP-H dest TCP Data


Basically, all the fields are authenticated except for mutable fields whichare set to be zero values before using HMAC.

9.4 Encapsulating Security Payload (ESP)

The ESP provides confidentiality services. As an optional feature, ESP canalso provide authentication service.

The format of ESP is as in Figure 9.8

0 16 24 31Security Parameters Index (SPI)

Sequence Number

Payload Data (variable)

Padding ( 0 - 255 bytes)Pad Length Next Header

Authentication Data (variable)

Figure 9.8: IPSec ESP Format

SPI identifies a security association. Sequence number is similar to thatof AH. These two 32-bit words are the head of ESP. Payload Data is atransport level segment (transport mode) or IP packet (tunnel mode) that isprotected by encryption. The length of payload data is variable. The lengthof padding is between 0 to 255 bytes. The padding is used to satisfies therequirement of encryption function and the requirement of the alignment ofthe ESP format. Sometimes, padding also can be used to provide partialtraffic flow confidentiality by concealing the actual length of the payload.Pad length (8 bites) indicates the number of pad bytes. Next header (8 bits)identifies the type of data contained in the payload data field (first header inthat payload). The Authentication Data field contains the ICV.

The Payload Data, Padding, Pad Length and Next Header fields areencrypted. If the encryption algorithm needs some initialization vector (IV),

9.4. ENCAPSULATING SECURITY PAYLOAD (ESP) 139

then this data may be carried explicitly at the beginning of the Payload Datafield. In that case, the encryption is usually started right after IV.

Then the packet after applying ESP in transport mode is

←− Authenticated −→←− Encrypted −→

IPv4 IP-H ESP-H TCP-H Data ESP-T ESP auth


IPv6 IP exten ESP dest TCP Data ESP ESP-H -H -H -H -H tailer auth

For the tunnel mode, the packet after applying ESP looks as


IPv4 New IP ESP orig IP TCP Data ESP ESP-H -H -H -H tailer auth


IPv6 New IP exten ESP orig IP dest TCP Data ESP ESP-H -H -H -H -H -H -T auth

When the authentication option is chosen, the authenticated part coversfrom the ESP header to the ESP trailer.

In practice of using IPSec, we can use different combinations of AH andESP. We can use ESP with authentication. In this case, the authentication isapplied to the ciphertext instead of plaintext. We also can use two SAs. Oneis for AH and one is for ESP. The inner is used for ESP without authenticationand the outer is for AH. Sometimes, we can use several SAs. The IPSecarchitecture documents lists four examples of combinations of SAs that mustbe supported by compliant IPSec hosts.

Example 1 implements IPSec for both end systems. Several SA may beused. They can use AH in transport mode, ESP in transport mode, AHfollowed by ESP in transport mode, etc. (see Figure 9.9).

Example 2 implements IPSec only for gateways such as routers, firewallsetc. In this case, usually only a single tunnel SA is used which supports AH,


Security is provided between end systems

NetworkLocal

NetworkLocal

Router

Internet

Router

Figure 9.9: Example 1

ESP or ESP with the authentication option. This implementation can beused to support simple virtual private network (see Figure 9.10).

Secure gatewaySecure gateway

Security is provided between gateways

NetworkLocal

NetworkLocal Internet


Example 3 combines example 2 with example 1. One or several end-to-endSA is added to the gateway-to-gateway security (see Figure 9.11).

Example 4 supports a remote host to reach an organization’s firewall andthen to access the end system behind the firewall. A tunnel mode is usedbetween the remote host and the firewall. (see Figure 9.12).

9.4. ENCAPSULATING SECURITY PAYLOAD (ESP) 141

Secure gatewaySecure gateway

Combine gateway−to−gateway with end−to−end security

NetworkLocal



Secure gateway

Combine end−to−gateway with end−to−end security

NetworkLocal


Router



9.5 Key Management

In AH and ESP, secret keys are required for communications. An importantpart of IPSec is key management.

IPSec supports two types of key management for both AH and ESP:

• Manual: A system administrator manually configures each system withits own keys and with the keys of other communicating systems.

• Automated: An automated system enables the on-demand creation ofkeys for SA and facilities the use of keys in a large system.

IPSec’s default automated key management protocol is ISAKMP/Oakley.The Oakley key exchange protocol was discussed before, which is based onDeffie-Hellman key exchange scheme. Now we introduce ISAKMP key man-agement. ISAKMP provides a framework for internet key management. Itdoes not dictate a specific key exchange algorithm. Other key exchange al-gorithms can also be used with ISAKMP.

ISAKMP (Internet Security Association and Key Management Protocol)defines procedures and packet formats to establish, negotiate, modify anddelete security associations.

The ISAKMP header format is shown in Figure 9.13

0 8 16 24 31Initiator Cookie

Responder Cookie

Next payload MjVer MnVer Exchange Type FlagsMessage IDLength

Figure 9.13: ISAKMP header

Initiator Cookie (64 bits) initiated SA establishment, SA notification, orSA deletion. Responder Cookie(64 bits) is used for responding; null in thefirst message from initiator. Next Payload (8 bits) indicates the type of thefirst payload in the message, which is followed the ISAKMP header. MajorVersion (4 bits) indicates major version of ISAKMP in use and Minor Version

9.5. KEY MANAGEMENT 143

(4 bits) indicates minor version in use. Exchange Type (8 bits) indicatesthe type of exchange. Flags (8 bits) indicates specific options set for thisISAKMP exchange. Message ID (32 bits) is the unique ID for this message.Length (32 bits) is the length of total message (header plus all payloads) inoctets.

ISAKMP Payload is followed the ISAKMP header. All ISAKMP payloadsbegin with the same generic payload header which is shown in Figure 9.14

0 8 16 31Next Payload Reserved Payload Length

Figure 9.14: ISAKMP Payload Header

Next Payload field uses 8 bits which has value 0 if this is the last payloadin the message, otherwise its value is the type of the next payload. ThePayload Length field indicates the length in octets of this payload, includingthe generic payload header.

The payload types defined for ISAKMP are as follows.

• SA payload (SA): Used to begin the establishment of an SA. Parametersinclude Domain of Interpretation (e.g., IPSec DOI), and a situationparameter which defines the security policy for this negotiation.

• Proposal payload (P): Contains information used during SA negotia-tion. The payload indicates the protocol for this SA (ESP or AH),entity’s SPI and the number of transforms.

• Transform payload (T): Includes a transform number which identifiesthis particular payload. The payload also contains the transform IDand Attributes to specify the transform (e.g., 3DES for ESP, HMAC-SHA-1-96 for AH) with its associated attribution (e.g., hash length).

• Key Exchange payload (KE): Used for key exchange (Oakley, PGPetc.). The payload contains the data required to generate a sessionkey.

• Identification payload (ID): Used to identify the communicating peers.The Data field will contain an IPv4 of IPv6 address.


• Certificate payload (CERT): Transfers public-key certificate. The pay-load indicates the type of certificate of certificate-related information.

• Certificate Request payload (CR): Requests the certificate of the othercommunicating entity. Lists certificate types and certificate authoritiesthat are acceptable.

• Hash payload (HASH): Contains data generated by a hash functionover some message.

• Signature payload (SIG): Contains data generated by a digital signaturescheme.

• Nonce payload (NONCE): Contains random data to protect againstreplay attacks.

• Notification payload (N): Contains either error or status informationassociated with this SA.

• Delete payload (D): Indicates one or more SAs that sender has deletedfrom its database.

RFC 2408 lists five default exchange types which are described in Figure9.15. In the table SA refers to an SA payload with associated Protocol andtransform payload. NONCE is a random number used to ensure againstreplay attacks. AUTH payload is used to authenticate keys, identities andthe nonce. In the Identity Protection Exchange, the two parties identities areprotected by encryption. The Aggressive Exchange minimizes the number ofexchanges at the expense of not providing identity protection.

We use the diagram in Figure 9.16 to illustrate the payloads exchangedbetween the two parties in the first round trip exchange. In this example,the initiator propose two proposals. The responder should reply with oneproposal. This round is to initiate an SA. This example is the IdentityProtection Exchange in ISAKMP.

The second round trip exchange is to generate key and send nonce. Weexplain it in Figure 9.17

We omit the third trip round. It is not difficult to describe this roundnow.

The Internet Key Exchange (IKE, RFC 2409) further detailed the keyexchange scheme. The IKE uses part of Oakley and part of SKEME (Se-cure Key Exchange MEchanism protocol, a versatile key exchange technique


(a) Base Exchange(1) I → R: SA; NONCE Begin ISAKMP-SA or Proxy negotiation(2) I ← R: SA; NONCE Basic SA agreed upon(3) I → R: KE;IDi; AUTH Key Generated (by responder) Initiator

Identity Verified by Responder(4) I ← R: KE; IDr; AUTH Responder Identity Verified by Initiator

Key Generated (by initiator)SA established

(b) Identity Protection Exchange(1) I → R: SA Begin ISAKMP-SA or Proxy negotiation(2) I ← R: SA Basic SA agreed upon(3) I → R: KE; NONCE Key generated(4) I ← R: KE; NONCE Key generated(5)*I → R: IDi; AUTH Initiator Identity Verified by Responder(6)*I ← R: IDr; AUTH Responder Identity Verified by Initiator

SA established(c) Authentication Only Exchange(1) I → R: SA;NONCE Begin ISKMP-SA or Proxy negotiation(2) I ← R: SA;NONCE;IDr;AUTH Basic SA agree upon Responder identity

verified by Initiator(3) I → R: IDi;AUTH Initiator identity verified by responder;

SA established(d) Aggressive Exchange(1) I → R: SA;KE;NONCE;IDi Begin ISKMP-SA or Proxy negotiation

and key exchange(2) I ← R: SA;KE;NONCE;IDr;AUTH Initiator identity verified by responder;

Key generated; Basic SA agreed upon(3)* I → R: AUTH Responder identity verified by initiator;

SA established(e) Informational Exchange(1) I → R: N/D Error notification or deletion

Notation:I = initiatorR = responder

* = payload encryption after the ISAKMP header

Figure 9.15: ISAKMP Exchange Types


ISAKMP Header with Exchange Type of Main Modeand Next Payload of ISA-SA

0 Reserved Payload LengthDomain of Interpreting

Situation0 Reserved Payload Length

Proposal # 1, PROTO-ISAKMP, SPI size=0 || # of TransformsISA-TRANS Reserved Payload Length

Transform # 1, KEY-OAKLEY,preferred SA attributes

0 Reserved Payload LengthTransform # 2, KEY-OAKLEY,

preferred SA attributes

Figure 9.16: ISAKMP exchange round 1

ISAKMP Header with Exchange Type of Main Modeand Next Payload of ISA-KE

ISA-NONCE Reserved Payload LengthD-H public Value

(αx from initiator αy from responder)0 Reserved Payload Length

NONCEI or NONCER

Figure 9.17: ISAKMP exchange round 2


which provides anonymity, repudiability and quick key refreshment) in con-junction with ISAKMP to obtain authenticated keying material. Two phasesof exchange are defined in IKE. Phase 1 is where the two ISAKMP peers es-tablish a secure, authenticated channel with which to communicate. Phase2 is where Security Associations are negotiated on behalf of services suchas IPsec or any other service which needs key material and/or parameternegotiation. Two modes of phase 1, Main mode and Aggressive mode, aredescribed in IKE. For phase 2, IKE describes Quick mode. There are differ-ent authentication options for each mode. We will not discuss all the details,but give some examples to explain.

An example of Main Mode is authenticated with a revised mode of publickey encryption. This mode is defined as follows.

1. I → R: HDR, SA.

Where HDR is the header of ISAMKP whose exchange type is themode.

2. I ← R: HDR, SA.

3. I → R: HDR, [HASH(1)], EPubR(NONCEI), EKI(KE), EKI

(IDI),[EKI

(CERTI)].

Where [x] indicates that x is optional. HASH(1) is a hash (using thenegotiated hash function) of the certificate which the initiator is usingto encrypt the nonce and identity. EPubR is the encryption functionusing R’s public key PubR. NONCEI is I’s nonce payload. EKI

is asymmetric encryption algorithm (from the SA payload) with I’s secretkey KI which is derived from the nonce.

4. I ← R: HDR, EPubI (NONCER), EKR(KE), EKR

(IDR).

EPubI is the encryption function using I’s public key PubI . NONCER

is I’s nonce payload. EKRis a symmetric encryption algorithm (from

the SA payload) with R’s secret key KR which is derived from thenonce.

5. I → R: HDR*, HASHI .

HDR* indicates payload encryption. HASHI is the hash payload pro-duced from HMAC. The key is derived from I’s cookie and the nonce.The hash function is performed on the Diffie-Hellman key exchangevalues, cookies, SA and I’s ID.


6. I ← R: HDR*, HASHR.

HASHR is similar to HASHI .

The Quick Mode is defined as follows. The payload in this mode is en-crypted. Since this mode is basically in phase 2, the encryption is possible.

1. I → R: HDR*, HASH(1), SA, NONCEI , [, KE], [ , IDcI , IDcR].

If ISAKMP is acting as a client negotiator on behalf of another party,then the identities are passed as IDcI and IDcR.

2. I ← R: HDR*, HASH(2), SA, NONCER, [, KE], [ , IDcI , IDcR].

HASH(2) is the hash payload of message ID, SA, NONCER and op-tional KE, IDcI , IDcR

3. I → R: HDR*, HASH(3)

HASH(3) is the hash payload of message ID,NONCEI andNONCER.

ISAKMP is not only for IPSec. It can be used for other security issues ofinternet. For example, is it used for VPN (virtue private network).

Chapter 10

Firewall

Firewalls are devices used to protect a local network from network basedsecurity threats while at the same time affording access to the wide areanetwork and the internet. Basically, firewall provides access control of a localsystem according to specific policies. In this chapter we give some overviewof firewalls. Figure 10.1 explains the position of a firewall.

10.1 Some Characteristics of firewall

The definition of a firewall depends on how and to what extent a firewall isused in a network. In general, the design goals for a firewall are:

• All traffic from inside to outside, and vice versa, must pass through thefirewall.

• Only authorized traffic, defined by the local security policy, will beallowed to pass the firewall. A firewall usually has a good loggingfacility and notification abilities.

• The firewall itself is immune to penetration. This implies that use ofa secure operating system, keep patching the system regularly, secureadministrative access, etc.

Some general techniques that firewalls used are as follows.

• Service control: Determines the types of internet services that can beaccessed. The firewall may filter traffic on the basis of IP address andTCP port number.

149

150 CHAPTER 10. FIREWALL

Firewall

Local network Internet

Figure 10.1: A Firewall

• Direct control: Determines the direction in which particular servicesrequests may be initiated and allowed to go through the firewall.

• User control: Controls access to a service according to which user isattempting to access it. This is usually applied to inside users. Forincoming traffic from outside of the firewall, some protocols are requiredsuch as IPSec.

• Behaviour control: Controls how particular services are used. For ex-ample, it may enable external access to only a portion of the informa-tion on a local Web server.

It should be noted that firewalls only can protect certain kind of attacksfrom the internet. They have their limitations as follows.

• The firewall cannot protect against attacks that bypass the firewall.For example, dial-out connection will not go though the firewall.

• The firewall does not protect against internal threats.

• The firewall cannot protect against the transfer of virus-infected pro-grams of files. It would be impractical for the firewall to scan all in-coming files, e-mails, etc.

10.2. COMMON TYPES OF FIREWALL 151

10.2 Common Types of Firewall

A basic function for a firewall is to check the TCP(UDP) and IP headers of apacket according to security rules. A typical TCP header is shown in Figure10.2.

0 4 10 16 24 31Source Port Destination Port

Sequence NumberAcknowledgement Number

HLEN Reserve Code WindowChecksum Urgent PointerOption (If any) Padding

Figure 10.2: TCP header

The source port and destination port fields contain the TCP port numbersthat identify the application program at the two ends of the connection. Thesequence number identifies the position in the sender’s bytes stream of thedata in the segment. The acknowledgment number identifies the number ofthe byte the source expects to receive next. HLEN specifies the length ofthe segment header. The window field contains the buffer size that limits thedata TCP software willing to accept every time it sends a segment. The codefield uses a 6-bit code to determine the purpose and contents of the segment.

There are several types of firewalls. In most cases, a firewall is a combi-nation of software and hardware. Now we describe some common types offirewalls below.

(a) Packet-filtering

A basic firewall uses packet-filtering routers. The router applies a set ofrules to each incoming IP packet and then forwards or discards the packet.It is usually designed to filter packets going in both directions. Filteringrules are based on fields in the IP or transport header, including source anddestination IP addresses and TCP or UDP port numbers. The filter is setup as a list of rules to determine whether to permit or block a packet. Whena packet comes, the router checks whether it matches one of the rules. Therules are checked from top to bottom on the list. If a rule is matched, then


the rule is invoked. Otherwise, a default action is called.

Two possible default policies can be set: discard or forward. The defaultdiscard policy is more conservative.

Figure 10.3 shows the algorithm of the packet filtering.

Yes

No

Yes

No

packet to Forward the

a fail ACKpacket, sendDiscard the

packet?Forward

Matches the rule?

Read a rule

Check headersof packet

Figure 10.3: Packet Filtering Algorithm

Now let us see some examples of packet filtering rules. In each set, therules are applied top to down.

Example A.

action ourhost port theirhost port comment

block * * SPIGOT * Don’t trust these peopleallow OUR-GW 25 * * connect to our SMPTblock * * * * default

10.2. COMMON TYPES OF FIREWALL 153

In this example, the inbound mail is allowed, but only to a gateway host(OUR-GW). Mail from a particular host, SPIGOT, is blocked. The defaultpolicy is discard.

Example B.

action ourhost port theirhost port comment

allow * * * 25 connect to their SMTP

This rule set is intended to specify that any inside host can send mail tothe outside.

Example C.

action src port dest port flags comment

allow {our hosts} * * 25 to their SMTPallow * 25 * * ACK their replies

This set of rules takes advantage of a feature of TCP connections. Oncea connection is set up, the ACK flag of a TCP segment is set to acknowledgesegments sent from the other side. The rules allow our hosts to send packetto destination with TCP port 25 and allow incoming packets with a sourceport number of 25 that include the ACK flag in the TCP segment.

Example D.

action src port dest port flags comment

allow {our hosts} * * * our outgoing callsallow * * * * ACK replies to our callesallow * * * > 1024 traffic to nonservers

This rule set is used to handling FTP connections. With FTP, usually twoTCP connections are used. Port 20 or 21 is used to set up the file transfer. Adata connection uses a different port number that is dynamically assigned forthe transfer. Since most servers live on low-numbered ports, most outgoingcalls tend to use a port above 1023. This rule set allows our hosts to callexternal machine and receive the reply packets. And other incoming packetsfor high-numbered port on an internal machine are allowed. This scheme re-quires that the systems are configured so that only appropriate port numbersare in use.


On a Cisco router, the access control lists (ACL) are typed in. For ex-ample, the following two lines of ACL allows any packet with a destinationIP address of 216.211.73.222 and port 80 (HTTP) but denies the other IPpackets with that IP address:

access-list 101 permit tcp any 216.211.73.222 0.0.0.0 eq 80

access-list 101 deny ip any 216.211.73.222 0.0.0.0 - r u

The advantages of packet-filtering router are simple and fast. The dis-advantages are lack of authentication and the difficulty of setting up packetfilter rules correctly.

Stateful packet filters are more intelligent than simple packet filters. Astateful packet filter can block pretty much all incoming traffic and still canallow return traffic for the traffic generated by inside hosts. To do that, arecord of the transport layer connections that are established through themare kept. An example of connection state table is shown in Figure 10.4.

source address source port dest address dest port connect state129.168.1.100 1030 210.9.88.29 80 established129.168.1.102 1031 216.32.42.123 80 established129.168.1.101 1033 173.66.32.122 25 established

Figure 10.4: Stateful Firewall State Table

Usually, an application that creates a TCP connection uses a port numberless than 1024 for the remote server but a port number between 1024 and16383 for local client. If we permit inbound network traffic on all these high-numbered TCP ports, then a vulnerability occurs. The stateful packet filterwill allow incoming traffic to high-numbered ports only for those packets thatfit the profile of one of the entries in the table.

(b) Application-level Gateway

An application-level gateway is also called a proxy server. The user con-tacts the gateway using a TCP/IP application and the gateway asks the userfor the name of the remote host to be accessed. When the user respondsand provides a valid user ID and authentication information, the gatewaycontacts the remote host and relays the application data between the twoendpoints. If the gateway does not implement the proxy code for a specificapplication, the service is not supported and cannot be forwarded across thefirewall. The gateway can be configured to support only specific features of

10.3. IMPLEMENTATION OF FIREWALL 155

applications.Application-level gateways tend to be more secure than packet filters be-

cause they are aware of application-level protocols and they can restrict orallow access based on these protocols. They can also look into the dataportion of the packets and use that information to restrict access. The dis-advantage of application-level gateway is the additional processing overheadon each connection which slows down the communications.

(c) Circuit-level Gateway

A circuit-level gateway does not permit an end-to-end TCP connection.The gateway sets two TCP connections, one between itself and a TCP useron an inner host and one between itself and a TCP user on an outside host.The firewall intercepts TCP connections being made to a host behind it andcompletes the handshake on behalf of this host. The security function consistsof determining which connection will be allowed. Once the two connectionsare established, the gateway usually will not exam the TCP segment.

A typical use of circuit-level gateway is in a situation in which the internalusers are trusted. Then the gateway can be configured to support circuit-levelfunctions for outbound connections and proxy service on inbound connections(i.e., check incoming data but not outgoings data).

10.3 Implementation of Firewall

To design a firewall, many factors need to be considered. First a securitypolicy should be set, which depends on the requirements of the local systemand the environment. Other important things need to pay attentions areease of configuration of the firewall and the security of the firewall itself.

A common method used in firewall is designing a demilitarized zone(DMZ). A DMZ is the zone in the network that is segregated from rest of thenetwork. A DMZ contains servers that need to be accessed from the publicnetwork, such as web server, ftp server, etc. A firewall should be designed sothat even some servers in DMZ are compromised that rest part of the privatenetwork will not be compromised.

Firewall Configuration

Usually, a configuration of firewall consists of more than one systems. To


configure a firewall, a written security policy should be formed first. Thendesign a firewall to implement the policy. The firewall should be reviewedand updated from time to time.

In the following, we discuss three common firewall configurations. In whatfollows, a bastion host is a system identified by the firewall administrationas a critical strong point in the network’s security. Usually, a bastion hostserves as an application-level or circuit-level gateway.

In a screened host firewall, single-homed bastion configuration, the fire-wall consists of two systems: a packet-filtering router and a bastion host.This configuration implements both packet-level and application-level filter-ing, allowing flexibility in defining security policy. For example, the routercan be set so that only the IP packets from or to the bastion host are al-lowed. The bastion host performs authentication and proxy functions. Thisconfiguration also can be set to provide direct internet access. In this case,the outgoing packets can go direct to the router.

Bastion host

Packet filteringrouter

Server


Figure 10.5: Single-homed bastion host

The screened host firewall, dual-homed bastion configuration physicallyseparates the router and the private network hosts. In this case, even therouter is compromised, the hosts are still protected by the proxy.

The third configuration is screened subnet firewall. In this configuration,two packet-filtering router are used, one between the bastion host and the in-ternet and one between the bastion host and the internal network. This con-figuration creates an isolated subnetwork, which may consist of the bastionhost and/or several information services and modems for dial-in capability.

A modern firewall usually provides more functions such as graphic config-uration interface, allowing varying security levels to be assigned to its various

10.3. IMPLEMENTATION OF FIREWALL 157

Bastion host


Server


Figure 10.6: Dual-homed bastion host

Local network

Bastion host


Server

Internet

Figure 10.7: Screened-subnet firewall

interfaces, extensive logging capabilities, network address translation (NAT),etc.


Bibliography

[1] W. Stallings, Network and internetwork security, Prentice Hall.

[2] D.R. Stinson, Cryptography: theory and practice, CRC Press.

159

Index

Advanced Encryption Standard, 45AES, 45authentication, 69autokey cipher, 27

birthday attack, 83block, 17block cipher, 26brute-force attack, 11

Caesar Cipher, 10CBC mode, 43CFB mode, 43chosen ciphertext, 9chosen plaintext, 9ciphertext, 8ciphertext-only, 9cryptanalysis, 9cryptosystem, 8CTR mode, 44

D-H key exchange, 86Data Authentication Algorithm, 77DES, 35DES Craker, 42differential cryptanalysis, 41Diffie-Hellman cryptosystem, 63Digital Signature Standard, 74discrete logarithm problem, 63DSS, 74

ECB mode, 42

ElGamal cryptosystem, 63ElGamal signature scheme, 72Elliptic curve cryptosystem, 66Euclidean algorithm, 57Euler’s Theorem, 56

Feistel type cipher, 36Fermat’s Theorem, 56finite fields, 52

hash functions, 78Hill cipher, 23HMAC, 84

KDC, 55Kerberos, 88Kerckhoff’s principle, 9key space, 8known plaintext, 9

LFSR, 28linear cryptanalysis, 42linear feedback shift register, 28

MAC, 77MD5, 80message authentication code, 77Miller-Rabin primality test, 62monoalphabetic, 16Monte Carlo algorithm, 61

non-synchronous stream cipher, 26

160

INDEX 161

NTRU, 66

Oakley, 87OFB mode, 43one time password, 95

password, 93periodic stream cipher, 26permutation cipher, 16PGP, 103PKI, 90plaintext, 8Pretty good privacy, 103product cryptosystems, 31Public key encryption, 55Public Key Infrastructure, 89

Rabin cryptosystem, 66RC4, 29RSA Public-key system, 59RSA signature scheme, 70

S-box, 38secure shell, 97SHA, 81shift cipher, 10signature scheme, 69square-and-multiply algorithm, 61SSH, 97stream cipher, 26substitution cipher, 12synchronous stream cipher, 26

triple DES, 45

Vigenere Cipher, 18

X.509, 90

Date post:	07-Jul-2018
Category:	Documents
Upload:	buinhu
View:	240 times
Download:	0 times